Edit tour

Linux Analysis Report
ij5Z8oy5e3.elf

Overview

General Information

Sample name:	ij5Z8oy5e3.elf renamed because original name is a hash value
Original sample name:	d13b153834dce9ac002fc83652d65fad.elf
Analysis ID:	1431629
MD5:	d13b153834dce9ac002fc83652d65fad
SHA1:	15f285d66a059c498f7abb6a88a8709f7ff355e8
SHA256:	da35d9fdeb215fb242d2b803c2faeaa47f8e46f21f8a5955e5dba11c1f2f04a3
Tags:	32elfintelmirai
Infos:

Detection

Mirai

Score:	96
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Detected Mirai

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Machine Learning detection for sample

Sample tries to kill multiple processes (SIGKILL)

Sends malformed DNS queries

Uses dynamic DNS services

Creates hidden files and/or directories

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Found strings indicative of a multi-platform dropper

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample tries to kill a process (SIGKILL)

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431629
Start date and time:	2024-04-25 14:47:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	ij5Z8oy5e3.elf renamed because original name is a hash value
Original Sample Name:	d13b153834dce9ac002fc83652d65fad.elf
Detection:	MAL
Classification:	mal96.spre.troj.linELF@0/0@66/0

Runtime Messages

Command:	/tmp/ij5Z8oy5e3.elf
PID:	5514
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	most3
Standard Error:

Process Tree

system is lnxubuntu20

ij5Z8oy5e3.elf (PID: 5514, Parent: 5434, MD5: d13b153834dce9ac002fc83652d65fad) Arguments: /tmp/ij5Z8oy5e3.elf

ij5Z8oy5e3.elf New Fork (PID: 5515, Parent: 5514)

ij5Z8oy5e3.elf New Fork (PID: 5516, Parent: 5515)

ij5Z8oy5e3.elf New Fork (PID: 5517, Parent: 5516)

xfce4-session New Fork (PID: 5533, Parent: 2984)

xfdesktop (PID: 5533, Parent: 2984, MD5: dfb13e1581f80065dcea16f2476f16f2) Arguments: xfdesktop --display :1.0 --sm-client-id 260d40b3c-9c6a-4cb1-bbe4-3557725aa528

xfce4-session New Fork (PID: 5534, Parent: 2984)

xfdesktop (PID: 5534, Parent: 2984, MD5: dfb13e1581f80065dcea16f2476f16f2) Arguments: xfdesktop --display :1.0 --sm-client-id 260d40b3c-9c6a-4cb1-bbe4-3557725aa528

xfce4-session New Fork (PID: 5539, Parent: 2984)

xfdesktop (PID: 5539, Parent: 2984, MD5: dfb13e1581f80065dcea16f2476f16f2) Arguments: xfdesktop --display :1.0 --sm-client-id 260d40b3c-9c6a-4cb1-bbe4-3557725aa528

xfce4-session New Fork (PID: 5540, Parent: 2984)

xfdesktop (PID: 5540, Parent: 2984, MD5: dfb13e1581f80065dcea16f2476f16f2) Arguments: xfdesktop --display :1.0 --sm-client-id 260d40b3c-9c6a-4cb1-bbe4-3557725aa528

xfce4-session New Fork (PID: 5543, Parent: 2984)

xfdesktop (PID: 5543, Parent: 2984, MD5: dfb13e1581f80065dcea16f2476f16f2) Arguments: xfdesktop --display :1.0 --sm-client-id 260d40b3c-9c6a-4cb1-bbe4-3557725aa528

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
ij5Z8oy5e3.elf	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x105b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x105cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x105e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x105f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10608:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1061c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10630:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10644:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10658:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1066c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10680:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10694:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x106a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x106bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x106d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x106e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x106f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1070c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10720:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10734:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10748:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
ij5Z8oy5e3.elf	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x3ca0:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
ij5Z8oy5e3.elf	Linux_Trojan_Mirai_5f7b67b8	unknown	unknown	0x9435:$a: 89 38 83 CF FF 89 F8 5A 59 5F C3 57 56 83 EC 04 8B 7C 24 10 8B 4C
ij5Z8oy5e3.elf	Linux_Trojan_Mirai_88de437f	unknown	unknown	0x5d32:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
ij5Z8oy5e3.elf	Linux_Trojan_Mirai_389ee3e9	unknown	unknown	0xc5dc:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
ij5Z8oy5e3.elf	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0xae98:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
ij5Z8oy5e3.elf	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0x5d02:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
Click to see the 2 entries

Memory Dumps

Source	Rule	Description	Author	Strings
5517.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x105b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x105cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x105e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x105f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10608:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1061c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10630:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10644:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10658:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1066c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10680:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10694:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x106a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x106bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x106d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x106e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x106f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1070c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10720:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10734:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10748:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5517.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x3ca0:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
5517.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Mirai_5f7b67b8	unknown	unknown	0x9435:$a: 89 38 83 CF FF 89 F8 5A 59 5F C3 57 56 83 EC 04 8B 7C 24 10 8B 4C
5517.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Mirai_88de437f	unknown	unknown	0x5d32:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
5517.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Mirai_389ee3e9	unknown	unknown	0xc5dc:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
5517.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0xae98:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
5517.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0x5d02:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
5514.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x105b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x105cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x105e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x105f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10608:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1061c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10630:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10644:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10658:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1066c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10680:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10694:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x106a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x106bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x106d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x106e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x106f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1070c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10720:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10734:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x10748:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5514.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Mirai_b14f4c5d	unknown	unknown	0x3ca0:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
5514.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Mirai_5f7b67b8	unknown	unknown	0x9435:$a: 89 38 83 CF FF 89 F8 5A 59 5F C3 57 56 83 EC 04 8B 7C 24 10 8B 4C
5514.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Mirai_88de437f	unknown	unknown	0x5d32:$a: 24 08 8B 4C 24 04 85 D2 74 0D 31 C0 89 F6 C6 04 08 00 40 39 D0
5514.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Mirai_389ee3e9	unknown	unknown	0xc5dc:$a: 89 45 00 EB 2C 8B 4B 04 8B 13 8B 7B 18 8B 01 01 02 8B 02 83
5514.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Mirai_cc93863b	unknown	unknown	0xae98:$a: C3 57 8B 44 24 0C 8B 4C 24 10 8B 7C 24 08 F3 AA 8B 44 24 08
5514.1.0000000008048000.000000000805b000.r-x.sdmp	Linux_Trojan_Mirai_8aa7b5d3	unknown	unknown	0x5d02:$a: 8B 4C 24 14 8B 74 24 0C 8B 5C 24 10 85 C9 74 0D 31 D2 8A 04 1A 88
Process Memory Space: ij5Z8oy5e3.elf PID: 5514	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x953:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x967:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x97b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x98f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9a3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9b7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9cb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9df:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9f3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa07:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa1b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa2f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa43:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa57:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa6b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa7f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa93:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xaa7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xabb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xacf:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xae3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: ij5Z8oy5e3.elf PID: 5517	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x900:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x914:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x928:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x93c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x950:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x964:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x978:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x98c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x9f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa04:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa18:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa2c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa40:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa54:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa68:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa7c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xa90:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Click to see the 11 entries

Snort Signatures

ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) - Source IP: 192.168.2.13 - Destination IP: 203.145.46.240

Timestamp:	04/25/24-14:48:21.378144
SID:	2030490
Source Port:	37334
Destination Port:	2023
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) - Source IP: 192.168.2.13 - Destination IP: 203.145.46.240

Timestamp:	04/25/24-14:48:40.337993
SID:	2030490
Source Port:	37336
Destination Port:	2023
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response - Source IP: 203.145.46.240 - Destination IP: 192.168.2.13

Timestamp:	04/25/24-14:48:42.940221
SID:	2030489
Source Port:	2023
Destination Port:	37336
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response - Source IP: 203.145.46.240 - Destination IP: 192.168.2.13

Timestamp:	04/25/24-14:49:01.934782
SID:	2030489
Source Port:	2023
Destination Port:	37338
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response - Source IP: 203.145.46.240 - Destination IP: 192.168.2.13

Timestamp:	04/25/24-14:48:25.195752
SID:	2030489
Source Port:	2023
Destination Port:	37334
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response - Source IP: 203.145.46.240 - Destination IP: 192.168.2.13

Timestamp:	04/25/24-14:49:22.834839
SID:	2030489
Source Port:	2023
Destination Port:	37340
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) - Source IP: 192.168.2.13 - Destination IP: 203.145.46.240

Timestamp:	04/25/24-14:48:58.001649
SID:	2030490
Source Port:	37338
Destination Port:	2023
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) - Source IP: 192.168.2.13 - Destination IP: 203.145.46.240

Timestamp:	04/25/24-14:49:18.280942
SID:	2030490
Source Port:	37340
Destination Port:	2023
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response - Source IP: 203.145.46.240 - Destination IP: 192.168.2.13

Timestamp:	04/25/24-14:50:09.248367
SID:	2030489
Source Port:	2023
Destination Port:	37346
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) - Source IP: 192.168.2.13 - Destination IP: 203.145.46.240

Timestamp:	04/25/24-14:49:51.601829
SID:	2030490
Source Port:	37346
Destination Port:	2023
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ij5Z8oy5e3.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: ij5Z8oy5e3.elf	ReversingLabs: Detection: 70%
Source: ij5Z8oy5e3.elf	Virustotal: Detection: 44%			Perma Link

Machine Learning detection for sample

Source: ij5Z8oy5e3.elf

Joe Sandbox ML: detected

Source: ij5Z8oy5e3.elf

String: HTTP/1.1 200 OKmost-armmost-arm5most-arm6most-arm7most-mipsmost-mpslmost-x86_64most-sh4./dvr_gui./upnp_server./dvr_app/proc/proc/%s/cmdline./pkillkillallwgetbusyboxtopcurltftppgrepxargsawktoyboxKh

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.13:37334 -> 203.145.46.240:2023
Source: Traffic	Snort IDS: 2030489 ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response 203.145.46.240:2023 -> 192.168.2.13:37334
Source: Traffic	Snort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.13:37336 -> 203.145.46.240:2023
Source: Traffic	Snort IDS: 2030489 ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response 203.145.46.240:2023 -> 192.168.2.13:37336
Source: Traffic	Snort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.13:37338 -> 203.145.46.240:2023
Source: Traffic	Snort IDS: 2030489 ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response 203.145.46.240:2023 -> 192.168.2.13:37338
Source: Traffic	Snort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.13:37340 -> 203.145.46.240:2023
Source: Traffic	Snort IDS: 2030489 ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response 203.145.46.240:2023 -> 192.168.2.13:37340
Source: Traffic	Snort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.13:37346 -> 203.145.46.240:2023
Source: Traffic	Snort IDS: 2030489 ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response 203.145.46.240:2023 -> 192.168.2.13:37346

Sends malformed DNS queries

Source: global traffic	DNS traffic detected: malformed DNS query: aomacamada.ddns.net. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: net-killer.ddns.net. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: Vet-killer.io.v. [malformed]
Source: global traffic	DNS traffic detected: malformed DNS query: net-killer.ooguy.com. [malformed]

Uses dynamic DNS services

Source: unknown	DNS query: name: net-killer.ddns.net
Source: unknown	DNS query: name: aomacamada.ddns.net
Source: unknown	DNS query: name: aomacamada.ddns.net. [malformed]
Source: unknown	DNS query: name: net-killer.ddns.net. [malformed]

Source: global traffic	TCP traffic: 192.168.2.13:37334 -> 203.145.46.240:2023
Source: global traffic	TCP traffic: 192.168.2.13:41034 -> 51.79.217.59:2023

Source: global traffic	DNS traffic detected: DNS query: net-killer.ooguy.com
Source: global traffic	DNS traffic detected: DNS query: aomacamada.ddns.net. [malformed]
Source: global traffic	DNS traffic detected: DNS query: net-killer.ddns.net. [malformed]
Source: global traffic	DNS traffic detected: DNS query: Vet-killer.io.v. [malformed]
Source: global traffic	DNS traffic detected: DNS query: net-killer.ooguy.com. [malformed]
Source: global traffic	DNS traffic detected: DNS query: aomacamada.ddns.net
Source: global traffic	DNS traffic detected: DNS query: net-killer.ddns.net
Source: global traffic	DNS traffic detected: DNS query: domain-botnet.servehttp.com

System Summary

Malicious sample detected (through community Yara rule)

Source: ij5Z8oy5e3.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: ij5Z8oy5e3.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: ij5Z8oy5e3.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
Source: ij5Z8oy5e3.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: ij5Z8oy5e3.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: ij5Z8oy5e3.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: ij5Z8oy5e3.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 5517.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5517.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 5517.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
Source: 5517.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 5517.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 5517.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 5517.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 5514.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5514.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 5514.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
Source: 5514.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 5514.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 5514.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 5514.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: Process Memory Space: ij5Z8oy5e3.elf PID: 5514, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: ij5Z8oy5e3.elf PID: 5517, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Sample tries to kill multiple processes (SIGKILL)

Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	SIGKILL sent: pid: 914, result: successful	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	SIGKILL sent: pid: 917, result: successful	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	SIGKILL sent: pid: 1238, result: successful	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	SIGKILL sent: pid: 1320, result: successful	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	SIGKILL sent: pid: 3158, result: successful	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	SIGKILL sent: pid: 5533, result: successful	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	SIGKILL sent: pid: 5534, result: successful	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	SIGKILL sent: pid: 5539, result: successful	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	SIGKILL sent: pid: 5540, result: successful	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	SIGKILL sent: pid: 5543, result: successful	Jump to behavior

Source: Initial sample	String containing 'busybox' found: busybox
Source: Initial sample	String containing 'busybox' found: HTTP/1.1 200 OKmost-armmost-arm5most-arm6most-arm7most-mipsmost-mpslmost-x86_64most-sh4./dvr_gui./upnp_server./dvr_app/proc/proc/%s/cmdline./pkillkillallwgetbusyboxtopcurltftppgrepxargsawktoyboxKh

Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	SIGKILL sent: pid: 914, result: successful	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	SIGKILL sent: pid: 917, result: successful	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	SIGKILL sent: pid: 1238, result: successful	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	SIGKILL sent: pid: 1320, result: successful	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	SIGKILL sent: pid: 3158, result: successful	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	SIGKILL sent: pid: 5533, result: successful	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	SIGKILL sent: pid: 5534, result: successful	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	SIGKILL sent: pid: 5539, result: successful	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	SIGKILL sent: pid: 5540, result: successful	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	SIGKILL sent: pid: 5543, result: successful	Jump to behavior

Source: ij5Z8oy5e3.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: ij5Z8oy5e3.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: ij5Z8oy5e3.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
Source: ij5Z8oy5e3.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: ij5Z8oy5e3.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: ij5Z8oy5e3.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: ij5Z8oy5e3.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 5517.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5517.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 5517.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
Source: 5517.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 5517.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 5517.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 5517.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 5514.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5514.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 5514.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
Source: 5514.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 5514.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 5514.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 5514.1.0000000008048000.000000000805b000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: Process Memory Space: ij5Z8oy5e3.elf PID: 5514, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: ij5Z8oy5e3.elf PID: 5517, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: classification engine

Classification label: mal96.spre.troj.linELF@0/0@66/0

Source: /usr/bin/xfdesktop (PID: 5534)	Directory: /home/saturnino/.Xdefaults-galassia	Jump to behavior
Source: /usr/bin/xfdesktop (PID: 5539)	Directory: /home/saturnino/.Xdefaults-galassia	Jump to behavior
Source: /usr/bin/xfdesktop (PID: 5540)	Directory: /home/saturnino/.Xdefaults-galassia	Jump to behavior

Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/230/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/110/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/231/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/232/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/112/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/233/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/113/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/234/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/114/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/235/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/115/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/236/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/116/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/237/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/117/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/238/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/118/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/239/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/119/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/914/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/10/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/917/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/11/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/12/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/13/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/14/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/15/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/16/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/17/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/18/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/19/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/240/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/3095/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/120/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/241/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/121/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/242/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/1/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/122/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/243/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/2/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/123/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/244/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/3/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/124/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/245/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/1588/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/125/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/4/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/246/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/126/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/5/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/247/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/127/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/6/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/248/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/128/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/7/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/249/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/129/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/8/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/800/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/9/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/1906/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/802/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/803/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/20/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/21/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/22/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/23/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/24/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/25/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/26/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/27/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/28/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/29/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/3420/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/1482/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/490/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/1480/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/250/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/371/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/130/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/251/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/131/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/252/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/132/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/253/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/254/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/1238/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/134/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/255/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/256/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/257/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/378/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/3413/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/258/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/259/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/1475/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/936/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/30/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/816/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/35/cmdline	Jump to behavior
Source: /tmp/ij5Z8oy5e3.elf (PID: 5516)	File opened: /proc/3310/cmdline	Jump to behavior

Source: /usr/bin/xfdesktop (PID: 5534)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/xfdesktop (PID: 5539)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/xfdesktop (PID: 5540)	Queries kernel information via 'uname':	Jump to behavior

Remote Access Functionality

Detected Mirai

Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response
Source: Traffic	Snort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Scripting	Path Interception	1 Hidden Files and Directories	1 OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	1 Service Stop
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ij5Z8oy5e3.elf	70%	ReversingLabs	Linux.Trojan.Mirai
ij5Z8oy5e3.elf	45%	Virustotal		Browse
ij5Z8oy5e3.elf	100%	Avira	EXP/ELF.Mirai.Z.A
ij5Z8oy5e3.elf	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
aomacamada.ddns.net	8%	Virustotal	Browse
net-killer.ddns.net	18%	Virustotal	Browse
net-killer.ooguy.com	4%	Virustotal	Browse

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
aomacamada.ddns.net	203.145.46.240	true	true	8%, Virustotal, Browse	unknown
net-killer.ddns.net	203.145.46.240	true	true	18%, Virustotal, Browse	unknown
net-killer.ooguy.com	203.145.46.240	true	true	4%, Virustotal, Browse	unknown
domain-botnet.servehttp.com	51.79.217.59	true	false		unknown
aomacamada.ddns.net. [malformed]	unknown	unknown	true		unknown
net-killer.ooguy.com. [malformed]	unknown	unknown	true		unknown
net-killer.ddns.net. [malformed]	unknown	unknown	true		unknown
Vet-killer.io.v. [malformed]	unknown	unknown	true		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
51.79.217.59	domain-botnet.servehttp.com	Canada		16276	OVHFR	false
203.145.46.240	aomacamada.ddns.net	unknown		9313	ONTHENET-ASNetworkTechnologyAUSTPLAU	true

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
51.79.217.59	iuMawBi6yU.elf	Get hash	malicious	Mirai	Browse
	aMTecZscrq.elf	Get hash	malicious	Unknown	Browse
	v2cDqXmZtv.elf	Get hash	malicious	Mirai	Browse
	Wd2T9v9ZMT.elf	Get hash	malicious	Mirai	Browse
	7T1vOaCJto.elf	Get hash	malicious	Mirai	Browse
203.145.46.240	iuMawBi6yU.elf	Get hash	malicious	Mirai	Browse
	aMTecZscrq.elf	Get hash	malicious	Unknown	Browse
	wvg9YxoOiG.elf	Get hash	malicious	Mirai	Browse
	v2cDqXmZtv.elf	Get hash	malicious	Mirai	Browse
	EV66ROvDut.elf	Get hash	malicious	Mirai	Browse
	Wd2T9v9ZMT.elf	Get hash	malicious	Mirai	Browse
	7T1vOaCJto.elf	Get hash	malicious	Mirai	Browse
	sGQ61OAVck.elf	Get hash	malicious	Mirai	Browse
	0oJ784pwEP.elf	Get hash	malicious	Mirai	Browse
	7oIrVgpQFQ.elf	Get hash	malicious	Mirai	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
net-killer.ooguy.com	sGQ61OAVck.elf	Get hash	malicious	Mirai	Browse	203.145.46.240
net-killer.ooguy.com	0oJ784pwEP.elf	Get hash	malicious	Mirai	Browse	203.145.46.240
domain-botnet.servehttp.com	iuMawBi6yU.elf	Get hash	malicious	Mirai	Browse	51.79.217.59
	aMTecZscrq.elf	Get hash	malicious	Unknown	Browse	51.79.217.59
	v2cDqXmZtv.elf	Get hash	malicious	Mirai	Browse	51.79.217.59
	Wd2T9v9ZMT.elf	Get hash	malicious	Mirai	Browse	51.79.217.59
	7T1vOaCJto.elf	Get hash	malicious	Mirai	Browse	51.79.217.59
	n4J9NMfLTM.elf	Get hash	malicious	Mirai	Browse	203.145.46.240
	4wngRroxli.elf	Get hash	malicious	Mirai	Browse	203.145.46.240
	igIKGnfg87.elf	Get hash	malicious	Mirai	Browse	203.145.46.240

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ONTHENET-ASNetworkTechnologyAUSTPLAU	iuMawBi6yU.elf	Get hash	malicious	Mirai	Browse	203.145.46.240
	aMTecZscrq.elf	Get hash	malicious	Unknown	Browse	203.145.46.240
	wvg9YxoOiG.elf	Get hash	malicious	Mirai	Browse	203.145.46.240
	v2cDqXmZtv.elf	Get hash	malicious	Mirai	Browse	203.145.46.240
	EV66ROvDut.elf	Get hash	malicious	Mirai	Browse	203.145.46.240
	Wd2T9v9ZMT.elf	Get hash	malicious	Mirai	Browse	203.145.46.240
	7T1vOaCJto.elf	Get hash	malicious	Mirai	Browse	203.145.46.240
	sGQ61OAVck.elf	Get hash	malicious	Mirai	Browse	203.145.46.240
	0oJ784pwEP.elf	Get hash	malicious	Mirai	Browse	203.145.46.240
	7oIrVgpQFQ.elf	Get hash	malicious	Mirai	Browse	203.145.46.240
OVHFR	iuMawBi6yU.elf	Get hash	malicious	Mirai	Browse	51.79.217.59
	aMTecZscrq.elf	Get hash	malicious	Unknown	Browse	51.79.217.59
	http://rapnews.pl	Get hash	malicious	Unknown	Browse	213.186.33.5
	https://ortelia.com/download-ortelia-curator/	Get hash	malicious	Havoc	Browse	139.99.130.163
	https://clicks.aweber.com/y/ct/?l=irQzWw&m=hE2OWd5T.UYPuTr&b=hqint4ojZ0QPjD7.f4mxDg#Ym5hbmRlcnNvbkBwcmVzaWRpby5jb20=	Get hash	malicious	HTMLPhisher	Browse	51.210.113.194
	SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe	Get hash	malicious	Exela Stealer, Python Stealer	Browse	51.38.43.18
	lmg1_Mlakaifa443456.vbs	Get hash	malicious	AsyncRAT, DcRat, Remcos	Browse	139.99.133.66
	https://campaign-statistics.com/link_click/PJygYHTMZ2_OXDfP/30633247af9f78d20f1e067eab9a8276	Get hash	malicious	HTMLPhisher	Browse	91.134.146.191
	https://i.imgur.com/VlAllek.png	Get hash	malicious	Unknown	Browse	51.79.152.81
	BM-FM_NR.24040718PDF.exe	Get hash	malicious	FormBook, GuLoader	Browse	51.77.215.151

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:
Entropy (8bit):	5.594582981184022
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	ij5Z8oy5e3.elf
File size:	96'388 bytes
MD5:	d13b153834dce9ac002fc83652d65fad
SHA1:	15f285d66a059c498f7abb6a88a8709f7ff355e8
SHA256:	da35d9fdeb215fb242d2b803c2faeaa47f8e46f21f8a5955e5dba11c1f2f04a3
SHA512:	4a82c6905910a736620a266d95a336216e02cba25cb3dad8790ce02b82dc06cdbae886f2db58f001a97885e0d9fbbe6bf9cbb9094860ab494eda3dea5d804d51
SSDEEP:	1536:bZxGp9fzWp6y0HP3SwuKXzWNc9ponbXU94uSfcRVL4:VE/fztxvSnmU0p6bE+3uL
TLSH:	DC936EC5F743D5F1FC4301B11077AB365F32E0B9212ADA42C769BA32EC92952DA1AB5C
File Content Preview:	.ELF....................d...4....v......4. ...(.....................0#..0#...............0...........F..,...........Q.td............................U..S.......{/...h........[]...$.............U......=.....t..5....D......D.......u........t....h0...........

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/25/24-14:48:21.378144	TCP	2030490	ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	37334	2023	192.168.2.13	203.145.46.240
04/25/24-14:48:40.337993	TCP	2030490	ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	37336	2023	192.168.2.13	203.145.46.240
04/25/24-14:48:42.940221	TCP	2030489	ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response	2023	37336	203.145.46.240	192.168.2.13
04/25/24-14:49:01.934782	TCP	2030489	ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response	2023	37338	203.145.46.240	192.168.2.13
04/25/24-14:48:25.195752	TCP	2030489	ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response	2023	37334	203.145.46.240	192.168.2.13
04/25/24-14:49:22.834839	TCP	2030489	ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response	2023	37340	203.145.46.240	192.168.2.13
04/25/24-14:48:58.001649	TCP	2030490	ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	37338	2023	192.168.2.13	203.145.46.240
04/25/24-14:49:18.280942	TCP	2030490	ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	37340	2023	192.168.2.13	203.145.46.240
04/25/24-14:50:09.248367	TCP	2030489	ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response	2023	37346	203.145.46.240	192.168.2.13
04/25/24-14:49:51.601829	TCP	2030490	ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)	37346	2023	192.168.2.13	203.145.46.240

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 25, 2024 14:48:20.008480072 CEST	37334	2023	192.168.2.13	203.145.46.240
Apr 25, 2024 14:48:21.009941101 CEST	37334	2023	192.168.2.13	203.145.46.240
Apr 25, 2024 14:48:21.377975941 CEST	2023	37334	203.145.46.240	192.168.2.13
Apr 25, 2024 14:48:21.378084898 CEST	37334	2023	192.168.2.13	203.145.46.240
Apr 25, 2024 14:48:21.378144026 CEST	37334	2023	192.168.2.13	203.145.46.240
Apr 25, 2024 14:48:21.728471994 CEST	2023	37334	203.145.46.240	192.168.2.13
Apr 25, 2024 14:48:25.195751905 CEST	2023	37334	203.145.46.240	192.168.2.13
Apr 25, 2024 14:48:25.195852041 CEST	37334	2023	192.168.2.13	203.145.46.240
Apr 25, 2024 14:48:34.230196953 CEST	2023	37334	203.145.46.240	192.168.2.13
Apr 25, 2024 14:48:39.986394882 CEST	37336	2023	192.168.2.13	203.145.46.240
Apr 25, 2024 14:48:40.337876081 CEST	2023	37336	203.145.46.240	192.168.2.13
Apr 25, 2024 14:48:40.337954044 CEST	37336	2023	192.168.2.13	203.145.46.240
Apr 25, 2024 14:48:40.337992907 CEST	37336	2023	192.168.2.13	203.145.46.240
Apr 25, 2024 14:48:40.689296961 CEST	2023	37336	203.145.46.240	192.168.2.13
Apr 25, 2024 14:48:42.940221071 CEST	2023	37336	203.145.46.240	192.168.2.13
Apr 25, 2024 14:48:42.940275908 CEST	37336	2023	192.168.2.13	203.145.46.240
Apr 25, 2024 14:48:50.530213118 CEST	2023	37336	203.145.46.240	192.168.2.13
Apr 25, 2024 14:48:57.655833006 CEST	37338	2023	192.168.2.13	203.145.46.240
Apr 25, 2024 14:48:58.001491070 CEST	2023	37338	203.145.46.240	192.168.2.13
Apr 25, 2024 14:48:58.001576900 CEST	37338	2023	192.168.2.13	203.145.46.240
Apr 25, 2024 14:48:58.001648903 CEST	37338	2023	192.168.2.13	203.145.46.240
Apr 25, 2024 14:48:58.346434116 CEST	2023	37338	203.145.46.240	192.168.2.13
Apr 25, 2024 14:49:01.934782028 CEST	2023	37338	203.145.46.240	192.168.2.13
Apr 25, 2024 14:49:01.934843063 CEST	37338	2023	192.168.2.13	203.145.46.240
Apr 25, 2024 14:49:07.816807032 CEST	2023	37338	203.145.46.240	192.168.2.13
Apr 25, 2024 14:49:17.927994967 CEST	37340	2023	192.168.2.13	203.145.46.240
Apr 25, 2024 14:49:18.280812025 CEST	2023	37340	203.145.46.240	192.168.2.13
Apr 25, 2024 14:49:18.280877113 CEST	37340	2023	192.168.2.13	203.145.46.240
Apr 25, 2024 14:49:18.280941963 CEST	37340	2023	192.168.2.13	203.145.46.240
Apr 25, 2024 14:49:18.630024910 CEST	2023	37340	203.145.46.240	192.168.2.13
Apr 25, 2024 14:49:22.109016895 CEST	2023	37340	203.145.46.240	192.168.2.13
Apr 25, 2024 14:49:22.109081984 CEST	37340	2023	192.168.2.13	203.145.46.240
Apr 25, 2024 14:49:22.834839106 CEST	2023	37340	203.145.46.240	192.168.2.13
Apr 25, 2024 14:49:22.834914923 CEST	37340	2023	192.168.2.13	203.145.46.240
Apr 25, 2024 14:49:27.372447968 CEST	2023	37340	203.145.46.240	192.168.2.13
Apr 25, 2024 14:49:27.372565985 CEST	37340	2023	192.168.2.13	203.145.46.240
Apr 25, 2024 14:49:27.721062899 CEST	2023	37340	203.145.46.240	192.168.2.13
Apr 25, 2024 14:49:32.498447895 CEST	41034	2023	192.168.2.13	51.79.217.59
Apr 25, 2024 14:49:32.823250055 CEST	2023	41034	51.79.217.59	192.168.2.13
Apr 25, 2024 14:49:44.169743061 CEST	41036	2023	192.168.2.13	51.79.217.59
Apr 25, 2024 14:49:44.492706060 CEST	2023	41036	51.79.217.59	192.168.2.13
Apr 25, 2024 14:49:49.272300005 CEST	37346	2023	192.168.2.13	203.145.46.240
Apr 25, 2024 14:49:49.622369051 CEST	2023	37346	203.145.46.240	192.168.2.13
Apr 25, 2024 14:49:49.622457981 CEST	37346	2023	192.168.2.13	203.145.46.240
Apr 25, 2024 14:49:49.622556925 CEST	37346	2023	192.168.2.13	203.145.46.240
Apr 25, 2024 14:49:50.549803972 CEST	37346	2023	192.168.2.13	203.145.46.240
Apr 25, 2024 14:49:51.029120922 CEST	2023	37346	203.145.46.240	192.168.2.13
Apr 25, 2024 14:49:51.029192924 CEST	37346	2023	192.168.2.13	203.145.46.240
Apr 25, 2024 14:49:51.432621002 CEST	2023	37346	203.145.46.240	192.168.2.13
Apr 25, 2024 14:49:51.432734013 CEST	37346	2023	192.168.2.13	203.145.46.240
Apr 25, 2024 14:49:51.601829052 CEST	37346	2023	192.168.2.13	203.145.46.240
Apr 25, 2024 14:49:51.974392891 CEST	2023	37346	203.145.46.240	192.168.2.13
Apr 25, 2024 14:50:01.442039013 CEST	37346	2023	192.168.2.13	203.145.46.240
Apr 25, 2024 14:50:01.837162018 CEST	2023	37346	203.145.46.240	192.168.2.13
Apr 25, 2024 14:50:06.102408886 CEST	2023	37346	203.145.46.240	192.168.2.13
Apr 25, 2024 14:50:06.102529049 CEST	37346	2023	192.168.2.13	203.145.46.240
Apr 25, 2024 14:50:09.248367071 CEST	2023	37346	203.145.46.240	192.168.2.13
Apr 25, 2024 14:50:09.248452902 CEST	37346	2023	192.168.2.13	203.145.46.240

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 25, 2024 14:48:19.897732973 CEST	38702	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:48:20.008330107 CEST	53	38702	8.8.8.8	192.168.2.13
Apr 25, 2024 14:48:37.230370045 CEST	58739	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:48:37.340781927 CEST	53	58739	8.8.8.8	192.168.2.13
Apr 25, 2024 14:48:37.340881109 CEST	40108	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:48:37.451145887 CEST	53	40108	8.8.8.8	192.168.2.13
Apr 25, 2024 14:48:37.451289892 CEST	49169	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:48:37.561424017 CEST	53	49169	8.8.8.8	192.168.2.13
Apr 25, 2024 14:48:37.561492920 CEST	39967	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:48:37.671416044 CEST	53	39967	8.8.8.8	192.168.2.13
Apr 25, 2024 14:48:37.671489000 CEST	60787	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:48:37.781801939 CEST	53	60787	8.8.8.8	192.168.2.13
Apr 25, 2024 14:48:37.781925917 CEST	37851	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:48:37.891931057 CEST	53	37851	8.8.8.8	192.168.2.13
Apr 25, 2024 14:48:37.891993046 CEST	54701	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:48:38.002003908 CEST	53	54701	8.8.8.8	192.168.2.13
Apr 25, 2024 14:48:38.002068996 CEST	42351	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:48:38.112210989 CEST	53	42351	8.8.8.8	192.168.2.13
Apr 25, 2024 14:48:38.112309933 CEST	49498	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:48:38.222312927 CEST	53	49498	8.8.8.8	192.168.2.13
Apr 25, 2024 14:48:38.222393990 CEST	36322	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:48:38.332401991 CEST	53	36322	8.8.8.8	192.168.2.13
Apr 25, 2024 14:48:38.332483053 CEST	49548	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:48:38.442437887 CEST	53	49548	8.8.8.8	192.168.2.13
Apr 25, 2024 14:48:38.442504883 CEST	57052	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:48:38.552382946 CEST	53	57052	8.8.8.8	192.168.2.13
Apr 25, 2024 14:48:38.552447081 CEST	38408	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:48:38.662502050 CEST	53	38408	8.8.8.8	192.168.2.13
Apr 25, 2024 14:48:38.662574053 CEST	41868	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:48:38.772665024 CEST	53	41868	8.8.8.8	192.168.2.13
Apr 25, 2024 14:48:38.772736073 CEST	46570	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:48:38.884816885 CEST	53	46570	8.8.8.8	192.168.2.13
Apr 25, 2024 14:48:38.884895086 CEST	49886	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:48:38.994837999 CEST	53	49886	8.8.8.8	192.168.2.13
Apr 25, 2024 14:48:38.994910002 CEST	49075	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:48:39.104892969 CEST	53	49075	8.8.8.8	192.168.2.13
Apr 25, 2024 14:48:39.104979038 CEST	56816	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:48:39.215142012 CEST	53	56816	8.8.8.8	192.168.2.13
Apr 25, 2024 14:48:39.215223074 CEST	43371	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:48:39.325453043 CEST	53	43371	8.8.8.8	192.168.2.13
Apr 25, 2024 14:48:39.325556040 CEST	42860	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:48:39.435708046 CEST	53	42860	8.8.8.8	192.168.2.13
Apr 25, 2024 14:48:39.435825109 CEST	35434	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:48:39.545864105 CEST	53	35434	8.8.8.8	192.168.2.13
Apr 25, 2024 14:48:39.545973063 CEST	34301	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:48:39.655985117 CEST	53	34301	8.8.8.8	192.168.2.13
Apr 25, 2024 14:48:39.656083107 CEST	38229	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:48:39.766124010 CEST	53	38229	8.8.8.8	192.168.2.13
Apr 25, 2024 14:48:39.766222954 CEST	57662	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:48:39.876190901 CEST	53	57662	8.8.8.8	192.168.2.13
Apr 25, 2024 14:48:39.876306057 CEST	46499	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:48:39.986301899 CEST	53	46499	8.8.8.8	192.168.2.13
Apr 25, 2024 14:48:57.530447006 CEST	53728	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:48:57.655659914 CEST	53	53728	8.8.8.8	192.168.2.13
Apr 25, 2024 14:49:17.817089081 CEST	57026	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:49:17.927840948 CEST	53	57026	8.8.8.8	192.168.2.13
Apr 25, 2024 14:49:32.372761965 CEST	38789	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:49:32.498311043 CEST	53	38789	8.8.8.8	192.168.2.13
Apr 25, 2024 14:49:41.823612928 CEST	40908	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:49:41.933867931 CEST	53	40908	8.8.8.8	192.168.2.13
Apr 25, 2024 14:49:41.934022903 CEST	35707	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:49:42.044028044 CEST	53	35707	8.8.8.8	192.168.2.13
Apr 25, 2024 14:49:42.044174910 CEST	47946	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:49:42.154282093 CEST	53	47946	8.8.8.8	192.168.2.13
Apr 25, 2024 14:49:42.154390097 CEST	39475	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:49:42.264548063 CEST	53	39475	8.8.8.8	192.168.2.13
Apr 25, 2024 14:49:42.264720917 CEST	52365	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:49:42.374731064 CEST	53	52365	8.8.8.8	192.168.2.13
Apr 25, 2024 14:49:42.374862909 CEST	40814	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:49:42.484844923 CEST	53	40814	8.8.8.8	192.168.2.13
Apr 25, 2024 14:49:42.485014915 CEST	53849	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:49:42.595024109 CEST	53	53849	8.8.8.8	192.168.2.13
Apr 25, 2024 14:49:42.595180035 CEST	41804	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:49:42.721218109 CEST	53	41804	8.8.8.8	192.168.2.13
Apr 25, 2024 14:49:42.721337080 CEST	57755	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:49:42.831470966 CEST	53	57755	8.8.8.8	192.168.2.13
Apr 25, 2024 14:49:42.831593990 CEST	43490	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:49:42.942405939 CEST	53	43490	8.8.8.8	192.168.2.13
Apr 25, 2024 14:49:42.942603111 CEST	39868	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:49:43.052593946 CEST	53	39868	8.8.8.8	192.168.2.13
Apr 25, 2024 14:49:43.052715063 CEST	46903	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:49:43.162760019 CEST	53	46903	8.8.8.8	192.168.2.13
Apr 25, 2024 14:49:43.162923098 CEST	41734	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:49:43.273040056 CEST	53	41734	8.8.8.8	192.168.2.13
Apr 25, 2024 14:49:43.273161888 CEST	59518	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:49:43.383236885 CEST	53	59518	8.8.8.8	192.168.2.13
Apr 25, 2024 14:49:43.383352041 CEST	41109	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:49:43.493411064 CEST	53	41109	8.8.8.8	192.168.2.13
Apr 25, 2024 14:49:43.493532896 CEST	33306	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:49:43.603461027 CEST	53	33306	8.8.8.8	192.168.2.13
Apr 25, 2024 14:49:43.603599072 CEST	47623	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:49:43.713640928 CEST	53	47623	8.8.8.8	192.168.2.13
Apr 25, 2024 14:49:43.713994980 CEST	55687	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:49:43.824032068 CEST	53	55687	8.8.8.8	192.168.2.13
Apr 25, 2024 14:49:43.824151993 CEST	34077	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:49:43.934072018 CEST	53	34077	8.8.8.8	192.168.2.13
Apr 25, 2024 14:49:43.934154034 CEST	46082	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:49:44.044171095 CEST	53	46082	8.8.8.8	192.168.2.13
Apr 25, 2024 14:49:44.044287920 CEST	37803	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:49:44.169606924 CEST	53	37803	8.8.8.8	192.168.2.13
Apr 25, 2024 14:49:47.492974043 CEST	50219	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:49:47.603120089 CEST	53	50219	8.8.8.8	192.168.2.13
Apr 25, 2024 14:49:47.603286028 CEST	33839	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:49:47.713320017 CEST	53	33839	8.8.8.8	192.168.2.13
Apr 25, 2024 14:49:47.713427067 CEST	33916	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:49:47.823337078 CEST	53	33916	8.8.8.8	192.168.2.13
Apr 25, 2024 14:49:47.823442936 CEST	39295	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:49:47.933446884 CEST	53	39295	8.8.8.8	192.168.2.13
Apr 25, 2024 14:49:47.933547974 CEST	50209	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:49:48.043741941 CEST	53	50209	8.8.8.8	192.168.2.13
Apr 25, 2024 14:49:48.043901920 CEST	34854	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:49:48.154164076 CEST	53	34854	8.8.8.8	192.168.2.13
Apr 25, 2024 14:49:48.154294968 CEST	34570	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:49:48.264379025 CEST	53	34570	8.8.8.8	192.168.2.13
Apr 25, 2024 14:49:48.264499903 CEST	60264	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:49:48.374677896 CEST	53	60264	8.8.8.8	192.168.2.13
Apr 25, 2024 14:49:48.374778032 CEST	52330	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:49:48.486161947 CEST	53	52330	8.8.8.8	192.168.2.13
Apr 25, 2024 14:49:48.486269951 CEST	44131	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:49:48.596366882 CEST	53	44131	8.8.8.8	192.168.2.13
Apr 25, 2024 14:49:48.596483946 CEST	59995	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:49:48.706646919 CEST	53	59995	8.8.8.8	192.168.2.13
Apr 25, 2024 14:49:48.706765890 CEST	49113	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:49:48.816706896 CEST	53	49113	8.8.8.8	192.168.2.13
Apr 25, 2024 14:49:48.816787958 CEST	43107	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:49:48.926770926 CEST	53	43107	8.8.8.8	192.168.2.13
Apr 25, 2024 14:49:48.926873922 CEST	60419	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:49:49.037139893 CEST	53	60419	8.8.8.8	192.168.2.13
Apr 25, 2024 14:49:49.037230015 CEST	46298	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:49:49.147176027 CEST	53	46298	8.8.8.8	192.168.2.13
Apr 25, 2024 14:49:49.147345066 CEST	40435	53	192.168.2.13	8.8.8.8
Apr 25, 2024 14:49:49.272175074 CEST	53	40435	8.8.8.8	192.168.2.13

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 25, 2024 14:48:19.897732973 CEST	192.168.2.13	8.8.8.8	0xa0	Standard query (0)	net-killer.ooguy.com	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:48:37.230370045 CEST	192.168.2.13	8.8.8.8	0x8ea2	Standard query (0)	aomacamada.ddns.net. [malformed]	256	293	false
Apr 25, 2024 14:48:37.340881109 CEST	192.168.2.13	8.8.8.8	0x8ea2	Standard query (0)	aomacamada.ddns.net. [malformed]	256	293	false
Apr 25, 2024 14:48:37.451289892 CEST	192.168.2.13	8.8.8.8	0x8ea2	Standard query (0)	aomacamada.ddns.net. [malformed]	256	293	false
Apr 25, 2024 14:48:37.561492920 CEST	192.168.2.13	8.8.8.8	0x8ea2	Standard query (0)	aomacamada.ddns.net. [malformed]	256	293	false
Apr 25, 2024 14:48:37.671489000 CEST	192.168.2.13	8.8.8.8	0x8ea2	Standard query (0)	aomacamada.ddns.net. [malformed]	256	293	false
Apr 25, 2024 14:48:37.781925917 CEST	192.168.2.13	8.8.8.8	0x1851	Standard query (0)	net-killer.ddns.net. [malformed]	256	293	false
Apr 25, 2024 14:48:37.891993046 CEST	192.168.2.13	8.8.8.8	0x1851	Standard query (0)	net-killer.ddns.net. [malformed]	256	294	false
Apr 25, 2024 14:48:38.002068996 CEST	192.168.2.13	8.8.8.8	0x1851	Standard query (0)	net-killer.ddns.net. [malformed]	256	294	false
Apr 25, 2024 14:48:38.112309933 CEST	192.168.2.13	8.8.8.8	0x1851	Standard query (0)	net-killer.ddns.net. [malformed]	256	294	false
Apr 25, 2024 14:48:38.222393990 CEST	192.168.2.13	8.8.8.8	0x1851	Standard query (0)	net-killer.ddns.net. [malformed]	256	294	false
Apr 25, 2024 14:48:38.332483053 CEST	192.168.2.13	8.8.8.8	0xc30e	Standard query (0)	Vet-killer.io.v. [malformed]	256	294	false
Apr 25, 2024 14:48:38.442504883 CEST	192.168.2.13	8.8.8.8	0xc30e	Standard query (0)	Vet-killer.io.v. [malformed]	256	294	false
Apr 25, 2024 14:48:38.552447081 CEST	192.168.2.13	8.8.8.8	0xc30e	Standard query (0)	Vet-killer.io.v. [malformed]	256	294	false
Apr 25, 2024 14:48:38.662574053 CEST	192.168.2.13	8.8.8.8	0xc30e	Standard query (0)	Vet-killer.io.v. [malformed]	256	294	false
Apr 25, 2024 14:48:38.772736073 CEST	192.168.2.13	8.8.8.8	0xc30e	Standard query (0)	Vet-killer.io.v. [malformed]	256	294	false
Apr 25, 2024 14:48:38.884895086 CEST	192.168.2.13	8.8.8.8	0x38de	Standard query (0)	net-killer.ooguy.com. [malformed]	256	294	false
Apr 25, 2024 14:48:38.994910002 CEST	192.168.2.13	8.8.8.8	0x38de	Standard query (0)	net-killer.ooguy.com. [malformed]	256	295	false
Apr 25, 2024 14:48:39.104979038 CEST	192.168.2.13	8.8.8.8	0x38de	Standard query (0)	net-killer.ooguy.com. [malformed]	256	295	false
Apr 25, 2024 14:48:39.215223074 CEST	192.168.2.13	8.8.8.8	0x38de	Standard query (0)	net-killer.ooguy.com. [malformed]	256	295	false
Apr 25, 2024 14:48:39.325556040 CEST	192.168.2.13	8.8.8.8	0x38de	Standard query (0)	net-killer.ooguy.com. [malformed]	256	295	false
Apr 25, 2024 14:48:39.435825109 CEST	192.168.2.13	8.8.8.8	0xe9d	Standard query (0)	Vet-killer.io.v. [malformed]	256	295	false
Apr 25, 2024 14:48:39.545973063 CEST	192.168.2.13	8.8.8.8	0xe9d	Standard query (0)	Vet-killer.io.v. [malformed]	256	295	false
Apr 25, 2024 14:48:39.656083107 CEST	192.168.2.13	8.8.8.8	0xe9d	Standard query (0)	Vet-killer.io.v. [malformed]	256	295	false
Apr 25, 2024 14:48:39.766222954 CEST	192.168.2.13	8.8.8.8	0xe9d	Standard query (0)	Vet-killer.io.v. [malformed]	256	295	false
Apr 25, 2024 14:48:39.876306057 CEST	192.168.2.13	8.8.8.8	0xe9d	Standard query (0)	Vet-killer.io.v. [malformed]	256	295	false
Apr 25, 2024 14:48:57.530447006 CEST	192.168.2.13	8.8.8.8	0x2564	Standard query (0)	aomacamada.ddns.net	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:49:17.817089081 CEST	192.168.2.13	8.8.8.8	0x7d13	Standard query (0)	net-killer.ddns.net	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:49:32.372761965 CEST	192.168.2.13	8.8.8.8	0xbf00	Standard query (0)	domain-botnet.servehttp.com	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:49:41.823612928 CEST	192.168.2.13	8.8.8.8	0x8e40	Standard query (0)	aomacamada.ddns.net. [malformed]	256	357	false
Apr 25, 2024 14:49:41.934022903 CEST	192.168.2.13	8.8.8.8	0x8e40	Standard query (0)	aomacamada.ddns.net. [malformed]	256	358	false
Apr 25, 2024 14:49:42.044174910 CEST	192.168.2.13	8.8.8.8	0x8e40	Standard query (0)	aomacamada.ddns.net. [malformed]	256	358	false
Apr 25, 2024 14:49:42.154390097 CEST	192.168.2.13	8.8.8.8	0x8e40	Standard query (0)	aomacamada.ddns.net. [malformed]	256	358	false
Apr 25, 2024 14:49:42.264720917 CEST	192.168.2.13	8.8.8.8	0x8e40	Standard query (0)	aomacamada.ddns.net. [malformed]	256	358	false
Apr 25, 2024 14:49:42.374862909 CEST	192.168.2.13	8.8.8.8	0x82f1	Standard query (0)	net-killer.ddns.net. [malformed]	256	358	false
Apr 25, 2024 14:49:42.485014915 CEST	192.168.2.13	8.8.8.8	0x82f1	Standard query (0)	net-killer.ddns.net. [malformed]	256	358	false
Apr 25, 2024 14:49:42.595180035 CEST	192.168.2.13	8.8.8.8	0x82f1	Standard query (0)	net-killer.ddns.net. [malformed]	256	358	false
Apr 25, 2024 14:49:42.721337080 CEST	192.168.2.13	8.8.8.8	0x82f1	Standard query (0)	net-killer.ddns.net. [malformed]	256	358	false
Apr 25, 2024 14:49:42.831593990 CEST	192.168.2.13	8.8.8.8	0x82f1	Standard query (0)	net-killer.ddns.net. [malformed]	256	358	false
Apr 25, 2024 14:49:42.942603111 CEST	192.168.2.13	8.8.8.8	0x9d62	Standard query (0)	net-killer.ddns.net. [malformed]	256	359	false
Apr 25, 2024 14:49:43.052715063 CEST	192.168.2.13	8.8.8.8	0x9d62	Standard query (0)	net-killer.ddns.net. [malformed]	256	359	false
Apr 25, 2024 14:49:43.162923098 CEST	192.168.2.13	8.8.8.8	0x9d62	Standard query (0)	net-killer.ddns.net. [malformed]	256	359	false
Apr 25, 2024 14:49:43.273161888 CEST	192.168.2.13	8.8.8.8	0x9d62	Standard query (0)	net-killer.ddns.net. [malformed]	256	359	false
Apr 25, 2024 14:49:43.383352041 CEST	192.168.2.13	8.8.8.8	0x9d62	Standard query (0)	net-killer.ddns.net. [malformed]	256	359	false
Apr 25, 2024 14:49:43.493532896 CEST	192.168.2.13	8.8.8.8	0xf572	Standard query (0)	Vet-killer.io.v. [malformed]	256	359	false
Apr 25, 2024 14:49:43.603599072 CEST	192.168.2.13	8.8.8.8	0xf572	Standard query (0)	Vet-killer.io.v. [malformed]	256	359	false
Apr 25, 2024 14:49:43.713994980 CEST	192.168.2.13	8.8.8.8	0xf572	Standard query (0)	Vet-killer.io.v. [malformed]	256	359	false
Apr 25, 2024 14:49:43.824151993 CEST	192.168.2.13	8.8.8.8	0xf572	Standard query (0)	Vet-killer.io.v. [malformed]	256	359	false
Apr 25, 2024 14:49:43.934154034 CEST	192.168.2.13	8.8.8.8	0xf572	Standard query (0)	Vet-killer.io.v. [malformed]	256	360	false
Apr 25, 2024 14:49:44.044287920 CEST	192.168.2.13	8.8.8.8	0xada6	Standard query (0)	domain-botnet.servehttp.com	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:49:47.492974043 CEST	192.168.2.13	8.8.8.8	0xa18	Standard query (0)	net-killer.ooguy.com. [malformed]	256	363	false
Apr 25, 2024 14:49:47.603286028 CEST	192.168.2.13	8.8.8.8	0xa18	Standard query (0)	net-killer.ooguy.com. [malformed]	256	363	false
Apr 25, 2024 14:49:47.713427067 CEST	192.168.2.13	8.8.8.8	0xa18	Standard query (0)	net-killer.ooguy.com. [malformed]	256	363	false
Apr 25, 2024 14:49:47.823442936 CEST	192.168.2.13	8.8.8.8	0xa18	Standard query (0)	net-killer.ooguy.com. [malformed]	256	363	false
Apr 25, 2024 14:49:47.933547974 CEST	192.168.2.13	8.8.8.8	0xa18	Standard query (0)	net-killer.ooguy.com. [malformed]	256	364	false
Apr 25, 2024 14:49:48.043901920 CEST	192.168.2.13	8.8.8.8	0x4722	Standard query (0)	aomacamada.ddns.net. [malformed]	256	364	false
Apr 25, 2024 14:49:48.154294968 CEST	192.168.2.13	8.8.8.8	0x4722	Standard query (0)	aomacamada.ddns.net. [malformed]	256	364	false
Apr 25, 2024 14:49:48.264499903 CEST	192.168.2.13	8.8.8.8	0x4722	Standard query (0)	aomacamada.ddns.net. [malformed]	256	364	false
Apr 25, 2024 14:49:48.374778032 CEST	192.168.2.13	8.8.8.8	0x4722	Standard query (0)	aomacamada.ddns.net. [malformed]	256	364	false
Apr 25, 2024 14:49:48.486269951 CEST	192.168.2.13	8.8.8.8	0x4722	Standard query (0)	aomacamada.ddns.net. [malformed]	256	364	false
Apr 25, 2024 14:49:48.596483946 CEST	192.168.2.13	8.8.8.8	0x5299	Standard query (0)	Vet-killer.io.v. [malformed]	256	364	false
Apr 25, 2024 14:49:48.706765890 CEST	192.168.2.13	8.8.8.8	0x5299	Standard query (0)	Vet-killer.io.v. [malformed]	256	364	false
Apr 25, 2024 14:49:48.816787958 CEST	192.168.2.13	8.8.8.8	0x5299	Standard query (0)	Vet-killer.io.v. [malformed]	256	364	false
Apr 25, 2024 14:49:48.926873922 CEST	192.168.2.13	8.8.8.8	0x5299	Standard query (0)	Vet-killer.io.v. [malformed]	256	365	false
Apr 25, 2024 14:49:49.037230015 CEST	192.168.2.13	8.8.8.8	0x5299	Standard query (0)	Vet-killer.io.v. [malformed]	256	365	false
Apr 25, 2024 14:49:49.147345066 CEST	192.168.2.13	8.8.8.8	0xac80	Standard query (0)	aomacamada.ddns.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 25, 2024 14:48:20.008330107 CEST	8.8.8.8	192.168.2.13	0xa0	No error (0)	net-killer.ooguy.com	203.145.46.240	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:48:57.655659914 CEST	8.8.8.8	192.168.2.13	0x2564	No error (0)	aomacamada.ddns.net	203.145.46.240	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:49:17.927840948 CEST	8.8.8.8	192.168.2.13	0x7d13	No error (0)	net-killer.ddns.net	203.145.46.240	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:49:32.498311043 CEST	8.8.8.8	192.168.2.13	0xbf00	No error (0)	domain-botnet.servehttp.com	51.79.217.59	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:49:44.169606924 CEST	8.8.8.8	192.168.2.13	0xada6	No error (0)	domain-botnet.servehttp.com	51.79.217.59	A (IP address)	IN (0x0001)	false
Apr 25, 2024 14:49:49.272175074 CEST	8.8.8.8	192.168.2.13	0xac80	No error (0)	aomacamada.ddns.net	203.145.46.240	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: ij5Z8oy5e3.elf PID: 5514, Parent PID: 5434

General

Start time (UTC):	12:48:19
Start date (UTC):	25/04/2024
Path:	/tmp/ij5Z8oy5e3.elf
Arguments:	/tmp/ij5Z8oy5e3.elf
File size:	96388 bytes
MD5 hash:	d13b153834dce9ac002fc83652d65fad

Chronological Activities

Analysis Process: ij5Z8oy5e3.elf PID: 5515, Parent PID: 5514

General

Start time (UTC):	12:48:19
Start date (UTC):	25/04/2024
Path:	/tmp/ij5Z8oy5e3.elf
Arguments:	-
File size:	96388 bytes
MD5 hash:	d13b153834dce9ac002fc83652d65fad

Chronological Activities

Analysis Process: ij5Z8oy5e3.elf PID: 5516, Parent PID: 5515

General

Start time (UTC):	12:48:19
Start date (UTC):	25/04/2024
Path:	/tmp/ij5Z8oy5e3.elf
Arguments:	-
File size:	96388 bytes
MD5 hash:	d13b153834dce9ac002fc83652d65fad

Chronological Activities

Analysis Process: ij5Z8oy5e3.elf PID: 5517, Parent PID: 5516

General

Start time (UTC):	12:48:19
Start date (UTC):	25/04/2024
Path:	/tmp/ij5Z8oy5e3.elf
Arguments:	-
File size:	96388 bytes
MD5 hash:	d13b153834dce9ac002fc83652d65fad

Analysis Process: xfce4-session PID: 5533, Parent PID: 2984

General

Start time (UTC):	12:48:20
Start date (UTC):	25/04/2024
Path:	/usr/bin/xfce4-session
Arguments:	-
File size:	264752 bytes
MD5 hash:	648919f03ad356720c8c27f5aaaf75d1

Chronological Activities

Analysis Process: xfdesktop PID: 5533, Parent PID: 2984

General

Start time (UTC):	12:48:20
Start date (UTC):	25/04/2024
Path:	/usr/bin/xfdesktop
Arguments:	xfdesktop --display :1.0 --sm-client-id 260d40b3c-9c6a-4cb1-bbe4-3557725aa528
File size:	473520 bytes
MD5 hash:	dfb13e1581f80065dcea16f2476f16f2

Chronological Activities

Analysis Process: xfce4-session PID: 5534, Parent PID: 2984

General

Start time (UTC):	12:48:20
Start date (UTC):	25/04/2024
Path:	/usr/bin/xfce4-session
Arguments:	-
File size:	264752 bytes
MD5 hash:	648919f03ad356720c8c27f5aaaf75d1

Chronological Activities

Analysis Process: xfdesktop PID: 5534, Parent PID: 2984

General

Start time (UTC):	12:48:20
Start date (UTC):	25/04/2024
Path:	/usr/bin/xfdesktop
Arguments:	xfdesktop --display :1.0 --sm-client-id 260d40b3c-9c6a-4cb1-bbe4-3557725aa528
File size:	473520 bytes
MD5 hash:	dfb13e1581f80065dcea16f2476f16f2

Chronological Activities

Analysis Process: xfce4-session PID: 5539, Parent PID: 2984

General

Start time (UTC):	12:48:23
Start date (UTC):	25/04/2024
Path:	/usr/bin/xfce4-session
Arguments:	-
File size:	264752 bytes
MD5 hash:	648919f03ad356720c8c27f5aaaf75d1

Chronological Activities

Analysis Process: xfdesktop PID: 5539, Parent PID: 2984

General

Start time (UTC):	12:48:23
Start date (UTC):	25/04/2024
Path:	/usr/bin/xfdesktop
Arguments:	xfdesktop --display :1.0 --sm-client-id 260d40b3c-9c6a-4cb1-bbe4-3557725aa528
File size:	473520 bytes
MD5 hash:	dfb13e1581f80065dcea16f2476f16f2

Chronological Activities

Analysis Process: xfce4-session PID: 5540, Parent PID: 2984

General

Start time (UTC):	12:48:24
Start date (UTC):	25/04/2024
Path:	/usr/bin/xfce4-session
Arguments:	-
File size:	264752 bytes
MD5 hash:	648919f03ad356720c8c27f5aaaf75d1

Chronological Activities

Analysis Process: xfdesktop PID: 5540, Parent PID: 2984

General

Start time (UTC):	12:48:24
Start date (UTC):	25/04/2024
Path:	/usr/bin/xfdesktop
Arguments:	xfdesktop --display :1.0 --sm-client-id 260d40b3c-9c6a-4cb1-bbe4-3557725aa528
File size:	473520 bytes
MD5 hash:	dfb13e1581f80065dcea16f2476f16f2

Chronological Activities

Analysis Process: xfce4-session PID: 5543, Parent PID: 2984

General

Start time (UTC):	12:48:25
Start date (UTC):	25/04/2024
Path:	/usr/bin/xfce4-session
Arguments:	-
File size:	264752 bytes
MD5 hash:	648919f03ad356720c8c27f5aaaf75d1

Chronological Activities

Analysis Process: xfdesktop PID: 5543, Parent PID: 2984

General

Start time (UTC):	12:48:25
Start date (UTC):	25/04/2024
Path:	/usr/bin/xfdesktop
Arguments:	xfdesktop --display :1.0 --sm-client-id 260d40b3c-9c6a-4cb1-bbe4-3557725aa528
File size:	473520 bytes
MD5 hash:	dfb13e1581f80065dcea16f2476f16f2

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.
Tactics:	Impact
Data Sources:	Command: Command Execution, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Termination, Service: Service Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report ij5Z8oy5e3.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Memory Dumps

Snort Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: ij5Z8oy5e3.elf PID: 5514, Parent PID: 5434

General

Chronological Activities

Analysis Process: ij5Z8oy5e3.elf PID: 5515, Parent PID: 5514

General

Chronological Activities

Analysis Process: ij5Z8oy5e3.elf PID: 5516, Parent PID: 5515

General

Chronological Activities

Analysis Process: ij5Z8oy5e3.elf PID: 5517, Parent PID: 5516

General

Analysis Process: xfce4-session PID: 5533, Parent PID: 2984

General

Chronological Activities

Analysis Process: xfdesktop PID: 5533, Parent PID: 2984

General

Chronological Activities

Analysis Process: xfce4-session PID: 5534, Parent PID: 2984

General

Chronological Activities

Linux Analysis Report
ij5Z8oy5e3.elf