Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
Zz4JCR594d.elf

Overview

General Information

Sample name:Zz4JCR594d.elf
renamed because original name is a hash value
Original sample name:847c9f05128358bec5a7a17e6a3524ea.elf
Analysis ID:1431631
MD5:847c9f05128358bec5a7a17e6a3524ea
SHA1:361b9fcd3d943c9a087a9971ddb5b28f2f8b977a
SHA256:83385e26348583a9ab161170f825065e9dc7ead718d31b68207cdd31f842bfc4
Tags:32elfintelmirai
Infos:

Detection

Mirai, Okiru
Score:100
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Detected Mirai
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Mirai
Yara detected Okiru
Machine Learning detection for sample
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Found strings indicative of a multi-platform dropper
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Yara signature match

Classification

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1431631
Start date and time:2024-04-25 14:48:21 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 32s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:Zz4JCR594d.elf
renamed because original name is a hash value
Original Sample Name:847c9f05128358bec5a7a17e6a3524ea.elf
Detection:MAL
Classification:mal100.troj.linELF@0/0@22/0

Runtime Messages

Command:/tmp/Zz4JCR594d.elf
PID:5493
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
done.
Standard Error:

Process Tree

  • system is lnxubuntu20
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Zz4JCR594d.elfJoeSecurity_OkiruYara detected OkiruJoe Security
    Zz4JCR594d.elfJoeSecurity_Mirai_3Yara detected MiraiJoe Security
      Zz4JCR594d.elfLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
      • 0xf6b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf6cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf6e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf6f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf708:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf71c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf730:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf744:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf758:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf76c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf780:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf794:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf7a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf7bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf7d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf7e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf7f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf80c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf820:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf834:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf848:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      Zz4JCR594d.elfLinux_Trojan_Mirai_b14f4c5dunknownunknown
      • 0x32f0:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
      Zz4JCR594d.elfLinux_Trojan_Mirai_5f7b67b8unknownunknown
      • 0x8655:$a: 89 38 83 CF FF 89 F8 5A 59 5F C3 57 56 83 EC 04 8B 7C 24 10 8B 4C
      Click to see the 4 entries

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      5493.1.0000000008048000.000000000805a000.r-x.sdmpJoeSecurity_OkiruYara detected OkiruJoe Security
        5493.1.0000000008048000.000000000805a000.r-x.sdmpJoeSecurity_Mirai_3Yara detected MiraiJoe Security
          5493.1.0000000008048000.000000000805a000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
          • 0xf6b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf6cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf6e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf6f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf708:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf71c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf730:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf744:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf758:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf76c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf780:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf794:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf7a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf7bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf7d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf7e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf7f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf80c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf820:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf834:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf848:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          5493.1.0000000008048000.000000000805a000.r-x.sdmpLinux_Trojan_Mirai_b14f4c5dunknownunknown
          • 0x32f0:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
          5493.1.0000000008048000.000000000805a000.r-x.sdmpLinux_Trojan_Mirai_5f7b67b8unknownunknown
          • 0x8655:$a: 89 38 83 CF FF 89 F8 5A 59 5F C3 57 56 83 EC 04 8B 7C 24 10 8B 4C
          Click to see the 7 entries

          Snort Signatures

          Timestamp:04/25/24-14:49:08.054304
          SID:2030490
          Source Port:45982
          Destination Port:2509
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/25/24-14:50:26.385035
          SID:2030490
          Source Port:46006
          Destination Port:2509
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/25/24-14:49:42.656784
          SID:2030490
          Source Port:45990
          Destination Port:2509
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/25/24-14:49:44.466416
          SID:2030490
          Source Port:45992
          Destination Port:2509
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/25/24-14:51:00.432590
          SID:2030490
          Source Port:46018
          Destination Port:2509
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/25/24-14:49:21.971789
          SID:2030490
          Source Port:45984
          Destination Port:2509
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/25/24-14:50:17.774534
          SID:2030490
          Source Port:46002
          Destination Port:2509
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/25/24-14:51:05.317940
          SID:2030490
          Source Port:46022
          Destination Port:2509
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/25/24-14:50:21.579535
          SID:2030490
          Source Port:46004
          Destination Port:2509
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/25/24-14:50:38.009874
          SID:2030490
          Source Port:46010
          Destination Port:2509
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/25/24-14:50:54.541250
          SID:2030490
          Source Port:46016
          Destination Port:2509
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/25/24-14:51:03.373324
          SID:2030490
          Source Port:46020
          Destination Port:2509
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/25/24-14:50:35.194257
          SID:2030490
          Source Port:46008
          Destination Port:2509
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/25/24-14:50:46.663569
          SID:2030490
          Source Port:46014
          Destination Port:2509
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/25/24-14:50:41.842391
          SID:2030490
          Source Port:46012
          Destination Port:2509
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/25/24-14:49:34.838365
          SID:2030490
          Source Port:45988
          Destination Port:2509
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/25/24-14:50:11.970056
          SID:2030490
          Source Port:46000
          Destination Port:2509
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/25/24-14:49:31.793186
          SID:2030490
          Source Port:45986
          Destination Port:2509
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/25/24-14:50:06.165554
          SID:2030490
          Source Port:45998
          Destination Port:2509
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/25/24-14:49:56.358212
          SID:2030490
          Source Port:45996
          Destination Port:2509
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/25/24-14:49:49.271102
          SID:2030490
          Source Port:45994
          Destination Port:2509
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: Zz4JCR594d.elfAvira: detected
          Multi AV Scanner detection for submitted file
          Source: Zz4JCR594d.elfVirustotal: Detection: 58%Perma Link
          Source: Zz4JCR594d.elfReversingLabs: Detection: 64%
          Machine Learning detection for sample
          Source: Zz4JCR594d.elfJoe Sandbox ML: detected
          Source: Zz4JCR594d.elfString: HTTP/1.1 200 OKbot.armbot.arm5bot.arm6bot.arm7bot.mipsbot.mpslbot.x86_64bot.sh4/proc/proc/%d/cmdlinenetstatwgetcurl/bin/busybox/proc//proc/%s/exe/proc/self/exevar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/usr/lib/systemd/systemdshellmnt/sys/boot/media/srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/anko-app/ankosample _8182T_1104/usr/libexec/openssh/sftp-serverabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ3f

          Networking

          barindex
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:45982 -> 103.97.132.194:2509
          Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:45984 -> 103.97.132.194:2509
          Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:45986 -> 103.97.132.194:2509
          Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:45988 -> 103.97.132.194:2509
          Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:45990 -> 103.97.132.194:2509
          Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:45992 -> 103.97.132.194:2509
          Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:45994 -> 103.97.132.194:2509
          Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:45996 -> 103.97.132.194:2509
          Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:45998 -> 103.97.132.194:2509
          Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:46000 -> 103.97.132.194:2509
          Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:46002 -> 103.97.132.194:2509
          Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:46004 -> 103.97.132.194:2509
          Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:46006 -> 103.97.132.194:2509
          Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:46008 -> 103.97.132.194:2509
          Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:46010 -> 103.97.132.194:2509
          Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:46012 -> 103.97.132.194:2509
          Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:46014 -> 103.97.132.194:2509
          Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:46016 -> 103.97.132.194:2509
          Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:46018 -> 103.97.132.194:2509
          Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:46020 -> 103.97.132.194:2509
          Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.14:46022 -> 103.97.132.194:2509
          Source: global trafficTCP traffic: 192.168.2.14:45982 -> 103.97.132.194:2509
          Source: global trafficDNS traffic detected: DNS query: eclp8oz0m8mxouv96hc9p7k2btydt3iv.click

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: Zz4JCR594d.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: Zz4JCR594d.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
          Source: Zz4JCR594d.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
          Source: Zz4JCR594d.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_88de437f Author: unknown
          Source: Zz4JCR594d.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
          Source: Zz4JCR594d.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
          Source: Zz4JCR594d.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
          Source: 5493.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: 5493.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
          Source: 5493.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
          Source: 5493.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_88de437f Author: unknown
          Source: 5493.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
          Source: 5493.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
          Source: 5493.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
          Source: Process Memory Space: Zz4JCR594d.elf PID: 5493, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
          Source: Initial sampleString containing 'busybox' found: /bin/busybox
          Source: Initial sampleString containing 'busybox' found: HTTP/1.1 200 OKbot.armbot.arm5bot.arm6bot.arm7bot.mipsbot.mpslbot.x86_64bot.sh4/proc/proc/%d/cmdlinenetstatwgetcurl/bin/busybox/proc//proc/%s/exe/proc/self/exevar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/usr/lib/systemd/systemdshellmnt/sys/boot/media/srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/anko-app/ankosample _8182T_1104/usr/libexec/openssh/sftp-serverabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ3f
          Source: ELF static info symbol of initial sample.symtab present: no
          Source: Zz4JCR594d.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: Zz4JCR594d.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
          Source: Zz4JCR594d.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
          Source: Zz4JCR594d.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
          Source: Zz4JCR594d.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
          Source: Zz4JCR594d.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
          Source: Zz4JCR594d.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
          Source: 5493.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: 5493.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
          Source: 5493.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
          Source: 5493.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
          Source: 5493.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
          Source: 5493.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
          Source: 5493.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
          Source: Process Memory Space: Zz4JCR594d.elf PID: 5493, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
          Source: classification engineClassification label: mal100.troj.linELF@0/0@22/0
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/3760/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/3761/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/1583/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/2672/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/110/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/111/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/112/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/113/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/234/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/1577/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/114/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/235/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/115/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/116/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/117/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/118/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/119/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/10/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/917/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/11/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/12/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/13/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/14/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/15/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/16/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/17/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/18/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/19/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/1593/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/240/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/120/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/3094/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/121/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/242/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/3406/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/1/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/122/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/243/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/2/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/123/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/244/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/1589/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/3/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/124/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/245/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/1588/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/125/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/4/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/246/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/3402/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/126/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/5/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/247/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/127/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/6/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/248/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/128/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/7/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/249/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/8/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/129/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/800/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/3762/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/9/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/801/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/3763/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/803/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/20/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/806/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/21/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/807/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/928/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/22/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/23/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/24/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/25/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/26/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/27/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/28/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/29/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/3420/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/490/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/250/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/130/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/251/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/131/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/252/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/132/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/253/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/254/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/255/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/135/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/256/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/1599/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/257/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/378/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/258/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/3412/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/259/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/30/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/35/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/1371/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/260/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/261/cmdlineJump to behavior
          Source: /tmp/Zz4JCR594d.elf (PID: 5495)File opened: /proc/262/cmdlineJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected Mirai
          Source: Yara matchFile source: Zz4JCR594d.elf, type: SAMPLE
          Source: Yara matchFile source: 5493.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Zz4JCR594d.elf PID: 5493, type: MEMORYSTR
          Yara detected Okiru
          Source: Yara matchFile source: Zz4JCR594d.elf, type: SAMPLE
          Source: Yara matchFile source: 5493.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Zz4JCR594d.elf PID: 5493, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Detected Mirai
          Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
          Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
          Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
          Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
          Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
          Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
          Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
          Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
          Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
          Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
          Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
          Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
          Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
          Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
          Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
          Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
          Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
          Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
          Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
          Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
          Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
          Yara detected Mirai
          Source: Yara matchFile source: Zz4JCR594d.elf, type: SAMPLE
          Source: Yara matchFile source: 5493.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Zz4JCR594d.elf PID: 5493, type: MEMORYSTR
          Yara detected Okiru
          Source: Yara matchFile source: Zz4JCR594d.elf, type: SAMPLE
          Source: Yara matchFile source: 5493.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Zz4JCR594d.elf PID: 5493, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information1
          Scripting          		Valid AccountsWindows Management Instrumentation1
          Scripting          		Path InterceptionDirect Volume Access1
          OS Credential Dumping          		System Service DiscoveryRemote ServicesData from Local System1
          Non-Standard Port          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
          Non-Application Layer Protocol          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
          Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact

          Malware Configuration

          No configs have been found

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Number of created Files
          • Is malicious
          • Internet

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Zz4JCR594d.elf59%VirustotalBrowse
          Zz4JCR594d.elf65%ReversingLabsLinux.Trojan.Mirai
          Zz4JCR594d.elf100%AviraEXP/ELF.Mirai.Z.A
          Zz4JCR594d.elf100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Domains

          SourceDetectionScannerLabelLink
          eclp8oz0m8mxouv96hc9p7k2btydt3iv.click17%VirustotalBrowse

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          eclp8oz0m8mxouv96hc9p7k2btydt3iv.click
          		103.97.132.194
          		truetrueunknown

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          103.97.132.194
          		eclp8oz0m8mxouv96hc9p7k2btydt3iv.clickViet Nam
          		55933CLOUDIE-AS-APCloudieLimitedHKtrue

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          eclp8oz0m8mxouv96hc9p7k2btydt3iv.click2TZqqUPBJw.elfGet hashmaliciousMirai, OkiruBrowse
          • 45.118.146.212
          0vstnmu699.elfGet hashmaliciousMirai, OkiruBrowse
          • 45.118.146.212
          IA3uZEOLZ8.elfGet hashmaliciousMirai, OkiruBrowse
          • 45.118.146.212
          VlmPWVuJv9.elfGet hashmaliciousMirai, OkiruBrowse
          • 45.118.146.212
          96koQTzreq.elfGet hashmaliciousMirai, OkiruBrowse
          • 45.118.146.212
          u1iOATDRWC.elfGet hashmaliciousMirai, OkiruBrowse
          • 45.118.146.212
          ke9n9bQgFS.elfGet hashmaliciousMirai, OkiruBrowse
          • 45.118.146.212
          JmjxgXywQQ.elfGet hashmaliciousMirai, OkiruBrowse
          • 45.118.146.212

          ASNs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          CLOUDIE-AS-APCloudieLimitedHKPO_PDF24172024.scr.exeGet hashmaliciousFormBookBrowse
          • 103.66.94.182
          https://csactivation.carestreamdental.com/ViewSwitcher/SwitchView?mobile=True&returnUrl=https://bpy.us/moTxvQ3E4RAm3ToTxn2APa4RAchQ3E4RAD5QyD5Qm3TQ3EmD5Qz01coTxm&mc=101631Get hashmaliciousUnknownBrowse
          • 45.134.174.193
          zLH4Gkr36e.elfGet hashmaliciousMiraiBrowse
          • 185.249.62.140
          RFQ.exeGet hashmaliciousFormBookBrowse
          • 103.66.94.182
          ZdLASJ26Rb.exeGet hashmaliciousUnknownBrowse
          • 103.39.109.63
          ZdLASJ26Rb.exeGet hashmaliciousUnknownBrowse
          • 103.39.109.63
          BL4567GH67_xls.exeGet hashmaliciousFormBookBrowse
          • 103.66.94.182
          Scan Document Copy_docx.exeGet hashmaliciousFormBookBrowse
          • 103.66.94.182
          SO8J3K15us.elfGet hashmaliciousGafgytBrowse
          • 43.240.13.127
          21whXUKd06.elfGet hashmaliciousGafgyt, MiraiBrowse
          • 43.240.13.113

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          No created / dropped files found

          Static File Info

          General

          File type:ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
          Entropy (8bit):5.713672284145757
          TrID:
          • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
          • ELF Executable and Linkable format (generic) (4004/1) 49.84%
          File name:Zz4JCR594d.elf
          File size:89'576 bytes
          MD5:847c9f05128358bec5a7a17e6a3524ea
          SHA1:361b9fcd3d943c9a087a9971ddb5b28f2f8b977a
          SHA256:83385e26348583a9ab161170f825065e9dc7ead718d31b68207cdd31f842bfc4
          SHA512:2cad9ee486cc0cb41a8ac18e0136396f7d11630ad19ffaecf662a5a07978d463f53351be586116618a4ecd0e672426c61e1a439f7cfee971c53a887041af7766
          SSDEEP:1536:xpmWc2AcighsZ8+1JxNc/HL1mSsM8emsJgBQ9TnkISGtAdL0xZ:xpmX2riED+1rNAHZmLFsCQ9kVTL0x
          TLSH:56937DC5F643D4F5E89704B1213AEB339B33F0B52019EA43D7799932ECA2511EA16B9C
          File Content Preview:.ELF....................d...4...X\......4. ...(......................................................G..8...........Q.td............................U..S........$...h........[]...$.............U......= ....t..5...................u........t....h............

          Static ELF Info

          ELF header

          Class:ELF32
          Data:2's complement, little endian
          Version:1 (current)
          Machine:Intel 80386
          Version Number:0x1
          Type:EXEC (Executable file)
          OS/ABI:UNIX - System V
          ABI Version:0
          Entry Point Address:0x8048164
          Flags:0x0
          ELF Header Size:52
          Program Header Offset:52
          Program Header Size:32
          Number of Program Headers:3
          Section Header Offset:89176
          Section Header Size:40
          Number of Section Headers:10
          Header String Table Index:9

          Sections

          NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
          NULL0x00x00x00x00x0000
          .initPROGBITS0x80480940x940x1c0x00x6AX001
          .textPROGBITS0x80480b00xb00xf1360x00x6AX0016
          .finiPROGBITS0x80571e60xf1e60x170x00x6AX001
          .rodataPROGBITS0x80572000xf2000x22900x00x2A0032
          .ctorsPROGBITS0x805a4940x114940xc0x00x3WA004
          .dtorsPROGBITS0x805a4a00x114a00x80x00x3WA004
          .dataPROGBITS0x805a4c00x114c00x47580x00x3WA0032
          .bssNOBITS0x805ec200x15c180x49ac0x00x3WA0032
          .shstrtabSTRTAB0x00x15c180x3e0x00x0001

          Program Segments

          TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
          LOAD0x00x80480000x80480000x114900x114906.58770x5R E0x1000.init .text .fini .rodata
          LOAD0x114940x805a4940x805a4940x47840x91380.36350x6RW 0x1000.ctors .dtors .data .bss
          GNU_STACK0x00x00x00x00x00.00000x6RW 0x4

          Network Behavior

          Snort IDS Alerts

          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
          04/25/24-14:49:08.054304TCP2030490ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)459822509192.168.2.14103.97.132.194
          04/25/24-14:50:26.385035TCP2030490ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)460062509192.168.2.14103.97.132.194
          04/25/24-14:49:42.656784TCP2030490ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)459902509192.168.2.14103.97.132.194
          04/25/24-14:49:44.466416TCP2030490ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)459922509192.168.2.14103.97.132.194
          04/25/24-14:51:00.432590TCP2030490ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)460182509192.168.2.14103.97.132.194
          04/25/24-14:49:21.971789TCP2030490ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)459842509192.168.2.14103.97.132.194
          04/25/24-14:50:17.774534TCP2030490ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)460022509192.168.2.14103.97.132.194
          04/25/24-14:51:05.317940TCP2030490ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)460222509192.168.2.14103.97.132.194
          04/25/24-14:50:21.579535TCP2030490ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)460042509192.168.2.14103.97.132.194
          04/25/24-14:50:38.009874TCP2030490ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)460102509192.168.2.14103.97.132.194
          04/25/24-14:50:54.541250TCP2030490ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)460162509192.168.2.14103.97.132.194
          04/25/24-14:51:03.373324TCP2030490ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)460202509192.168.2.14103.97.132.194
          04/25/24-14:50:35.194257TCP2030490ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)460082509192.168.2.14103.97.132.194
          04/25/24-14:50:46.663569TCP2030490ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)460142509192.168.2.14103.97.132.194
          04/25/24-14:50:41.842391TCP2030490ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)460122509192.168.2.14103.97.132.194
          04/25/24-14:49:34.838365TCP2030490ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)459882509192.168.2.14103.97.132.194
          04/25/24-14:50:11.970056TCP2030490ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)460002509192.168.2.14103.97.132.194
          04/25/24-14:49:31.793186TCP2030490ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)459862509192.168.2.14103.97.132.194
          04/25/24-14:50:06.165554TCP2030490ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)459982509192.168.2.14103.97.132.194
          04/25/24-14:49:56.358212TCP2030490ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)459962509192.168.2.14103.97.132.194
          04/25/24-14:49:49.271102TCP2030490ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)459942509192.168.2.14103.97.132.194

          Network Port Distribution

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          Apr 25, 2024 14:49:07.705370903 CEST459822509192.168.2.14103.97.132.194
          Apr 25, 2024 14:49:08.054119110 CEST250945982103.97.132.194192.168.2.14
          Apr 25, 2024 14:49:08.054198027 CEST459822509192.168.2.14103.97.132.194
          Apr 25, 2024 14:49:08.054303885 CEST459822509192.168.2.14103.97.132.194
          Apr 25, 2024 14:49:08.402697086 CEST250945982103.97.132.194192.168.2.14
          Apr 25, 2024 14:49:08.402759075 CEST250945982103.97.132.194192.168.2.14
          Apr 25, 2024 14:49:14.513561010 CEST459842509192.168.2.14103.97.132.194
          Apr 25, 2024 14:49:15.538676977 CEST459842509192.168.2.14103.97.132.194
          Apr 25, 2024 14:49:17.553962946 CEST459842509192.168.2.14103.97.132.194
          Apr 25, 2024 14:49:21.617850065 CEST459842509192.168.2.14103.97.132.194
          Apr 25, 2024 14:49:21.971513987 CEST250945984103.97.132.194192.168.2.14
          Apr 25, 2024 14:49:21.971787930 CEST459842509192.168.2.14103.97.132.194
          Apr 25, 2024 14:49:21.971788883 CEST459842509192.168.2.14103.97.132.194
          Apr 25, 2024 14:49:22.326455116 CEST250945984103.97.132.194192.168.2.14
          Apr 25, 2024 14:49:22.326632977 CEST459842509192.168.2.14103.97.132.194
          Apr 25, 2024 14:49:23.057924986 CEST459842509192.168.2.14103.97.132.194
          Apr 25, 2024 14:49:23.058605909 CEST250945984103.97.132.194192.168.2.14
          Apr 25, 2024 14:49:23.058736086 CEST459842509192.168.2.14103.97.132.194
          Apr 25, 2024 14:49:23.411771059 CEST250945984103.97.132.194192.168.2.14
          Apr 25, 2024 14:49:23.412256956 CEST250945984103.97.132.194192.168.2.14
          Apr 25, 2024 14:49:31.437958002 CEST459862509192.168.2.14103.97.132.194
          Apr 25, 2024 14:49:31.792987108 CEST250945986103.97.132.194192.168.2.14
          Apr 25, 2024 14:49:31.793138027 CEST459862509192.168.2.14103.97.132.194
          Apr 25, 2024 14:49:31.793185949 CEST459862509192.168.2.14103.97.132.194
          Apr 25, 2024 14:49:32.148081064 CEST250945986103.97.132.194192.168.2.14
          Apr 25, 2024 14:49:32.148222923 CEST459862509192.168.2.14103.97.132.194
          Apr 25, 2024 14:49:32.502906084 CEST250945986103.97.132.194192.168.2.14
          Apr 25, 2024 14:49:34.486565113 CEST459882509192.168.2.14103.97.132.194
          Apr 25, 2024 14:49:34.838191986 CEST250945988103.97.132.194192.168.2.14
          Apr 25, 2024 14:49:34.838365078 CEST459882509192.168.2.14103.97.132.194
          Apr 25, 2024 14:49:34.838365078 CEST459882509192.168.2.14103.97.132.194
          Apr 25, 2024 14:49:35.190119028 CEST250945988103.97.132.194192.168.2.14
          Apr 25, 2024 14:49:35.190148115 CEST250945988103.97.132.194192.168.2.14
          Apr 25, 2024 14:49:42.301505089 CEST459902509192.168.2.14103.97.132.194
          Apr 25, 2024 14:49:42.656625032 CEST250945990103.97.132.194192.168.2.14
          Apr 25, 2024 14:49:42.656740904 CEST459902509192.168.2.14103.97.132.194
          Apr 25, 2024 14:49:42.656784058 CEST459902509192.168.2.14103.97.132.194
          Apr 25, 2024 14:49:43.010582924 CEST250945990103.97.132.194192.168.2.14
          Apr 25, 2024 14:49:43.010643959 CEST250945990103.97.132.194192.168.2.14
          Apr 25, 2024 14:49:44.121495008 CEST459922509192.168.2.14103.97.132.194
          Apr 25, 2024 14:49:44.466047049 CEST250945992103.97.132.194192.168.2.14
          Apr 25, 2024 14:49:44.466180086 CEST459922509192.168.2.14103.97.132.194
          Apr 25, 2024 14:49:44.466415882 CEST459922509192.168.2.14103.97.132.194
          Apr 25, 2024 14:49:44.810216904 CEST250945992103.97.132.194192.168.2.14
          Apr 25, 2024 14:49:44.810272932 CEST250945992103.97.132.194192.168.2.14
          Apr 25, 2024 14:49:48.921500921 CEST459942509192.168.2.14103.97.132.194
          Apr 25, 2024 14:49:49.270678997 CEST250945994103.97.132.194192.168.2.14
          Apr 25, 2024 14:49:49.270999908 CEST459942509192.168.2.14103.97.132.194
          Apr 25, 2024 14:49:49.271101952 CEST459942509192.168.2.14103.97.132.194
          Apr 25, 2024 14:49:49.625174046 CEST250945994103.97.132.194192.168.2.14
          Apr 25, 2024 14:49:49.625541925 CEST459942509192.168.2.14103.97.132.194
          Apr 25, 2024 14:49:50.352654934 CEST459942509192.168.2.14103.97.132.194
          Apr 25, 2024 14:49:50.358019114 CEST250945994103.97.132.194192.168.2.14
          Apr 25, 2024 14:49:50.358102083 CEST459942509192.168.2.14103.97.132.194
          Apr 25, 2024 14:49:50.702676058 CEST250945994103.97.132.194192.168.2.14
          Apr 25, 2024 14:49:50.708070993 CEST250945994103.97.132.194192.168.2.14
          Apr 25, 2024 14:49:56.014444113 CEST459962509192.168.2.14103.97.132.194
          Apr 25, 2024 14:49:56.358017921 CEST250945996103.97.132.194192.168.2.14
          Apr 25, 2024 14:49:56.358186007 CEST459962509192.168.2.14103.97.132.194
          Apr 25, 2024 14:49:56.358211994 CEST459962509192.168.2.14103.97.132.194
          Apr 25, 2024 14:49:56.703172922 CEST250945996103.97.132.194192.168.2.14
          Apr 25, 2024 14:49:56.703306913 CEST459962509192.168.2.14103.97.132.194
          Apr 25, 2024 14:49:57.392385006 CEST459962509192.168.2.14103.97.132.194
          Apr 25, 2024 14:49:57.423882008 CEST250945996103.97.132.194192.168.2.14
          Apr 25, 2024 14:49:57.424022913 CEST459962509192.168.2.14103.97.132.194
          Apr 25, 2024 14:49:57.736521006 CEST250945996103.97.132.194192.168.2.14
          Apr 25, 2024 14:49:57.766921043 CEST250945996103.97.132.194192.168.2.14
          Apr 25, 2024 14:50:05.813591003 CEST459982509192.168.2.14103.97.132.194
          Apr 25, 2024 14:50:06.165287971 CEST250945998103.97.132.194192.168.2.14
          Apr 25, 2024 14:50:06.165473938 CEST459982509192.168.2.14103.97.132.194
          Apr 25, 2024 14:50:06.165554047 CEST459982509192.168.2.14103.97.132.194
          Apr 25, 2024 14:50:06.515477896 CEST250945998103.97.132.194192.168.2.14
          Apr 25, 2024 14:50:06.515551090 CEST250945998103.97.132.194192.168.2.14
          Apr 25, 2024 14:50:11.626645088 CEST460002509192.168.2.14103.97.132.194
          Apr 25, 2024 14:50:11.969850063 CEST250946000103.97.132.194192.168.2.14
          Apr 25, 2024 14:50:11.970016003 CEST460002509192.168.2.14103.97.132.194
          Apr 25, 2024 14:50:11.970056057 CEST460002509192.168.2.14103.97.132.194
          Apr 25, 2024 14:50:12.313159943 CEST250946000103.97.132.194192.168.2.14
          Apr 25, 2024 14:50:12.313275099 CEST250946000103.97.132.194192.168.2.14
          Apr 25, 2024 14:50:17.424360037 CEST460022509192.168.2.14103.97.132.194
          Apr 25, 2024 14:50:17.774281025 CEST250946002103.97.132.194192.168.2.14
          Apr 25, 2024 14:50:17.774503946 CEST460022509192.168.2.14103.97.132.194
          Apr 25, 2024 14:50:17.774533987 CEST460022509192.168.2.14103.97.132.194
          Apr 25, 2024 14:50:18.124331951 CEST250946002103.97.132.194192.168.2.14
          Apr 25, 2024 14:50:18.124372959 CEST250946002103.97.132.194192.168.2.14
          Apr 25, 2024 14:50:21.236459017 CEST460042509192.168.2.14103.97.132.194
          Apr 25, 2024 14:50:21.579365969 CEST250946004103.97.132.194192.168.2.14
          Apr 25, 2024 14:50:21.579494953 CEST460042509192.168.2.14103.97.132.194
          Apr 25, 2024 14:50:21.579535007 CEST460042509192.168.2.14103.97.132.194
          Apr 25, 2024 14:50:21.924237013 CEST250946004103.97.132.194192.168.2.14
          Apr 25, 2024 14:50:21.924309015 CEST250946004103.97.132.194192.168.2.14
          Apr 25, 2024 14:50:26.035676956 CEST460062509192.168.2.14103.97.132.194
          Apr 25, 2024 14:50:26.384733915 CEST250946006103.97.132.194192.168.2.14
          Apr 25, 2024 14:50:26.384943962 CEST460062509192.168.2.14103.97.132.194
          Apr 25, 2024 14:50:26.385035038 CEST460062509192.168.2.14103.97.132.194
          Apr 25, 2024 14:50:26.733810902 CEST250946006103.97.132.194192.168.2.14
          Apr 25, 2024 14:50:26.733885050 CEST250946006103.97.132.194192.168.2.14
          Apr 25, 2024 14:50:34.844753981 CEST460082509192.168.2.14103.97.132.194
          Apr 25, 2024 14:50:35.194046021 CEST250946008103.97.132.194192.168.2.14
          Apr 25, 2024 14:50:35.194209099 CEST460082509192.168.2.14103.97.132.194
          Apr 25, 2024 14:50:35.194257021 CEST460082509192.168.2.14103.97.132.194
          Apr 25, 2024 14:50:35.543406010 CEST250946008103.97.132.194192.168.2.14
          Apr 25, 2024 14:50:35.543473005 CEST250946008103.97.132.194192.168.2.14
          Apr 25, 2024 14:50:37.654043913 CEST460102509192.168.2.14103.97.132.194
          Apr 25, 2024 14:50:38.009593964 CEST250946010103.97.132.194192.168.2.14
          Apr 25, 2024 14:50:38.009795904 CEST460102509192.168.2.14103.97.132.194
          Apr 25, 2024 14:50:38.009874105 CEST460102509192.168.2.14103.97.132.194
          Apr 25, 2024 14:50:38.365226984 CEST250946010103.97.132.194192.168.2.14
          Apr 25, 2024 14:50:38.365273952 CEST250946010103.97.132.194192.168.2.14
          Apr 25, 2024 14:50:40.476398945 CEST460122509192.168.2.14103.97.132.194
          Apr 25, 2024 14:50:41.486588955 CEST460122509192.168.2.14103.97.132.194
          Apr 25, 2024 14:50:41.842227936 CEST250946012103.97.132.194192.168.2.14
          Apr 25, 2024 14:50:41.842391014 CEST460122509192.168.2.14103.97.132.194
          Apr 25, 2024 14:50:41.842391014 CEST460122509192.168.2.14103.97.132.194
          Apr 25, 2024 14:50:42.194628954 CEST250946012103.97.132.194192.168.2.14
          Apr 25, 2024 14:50:42.194653988 CEST250946012103.97.132.194192.168.2.14
          Apr 25, 2024 14:50:46.306783915 CEST460142509192.168.2.14103.97.132.194
          Apr 25, 2024 14:50:46.663378954 CEST250946014103.97.132.194192.168.2.14
          Apr 25, 2024 14:50:46.663568020 CEST460142509192.168.2.14103.97.132.194
          Apr 25, 2024 14:50:46.663568974 CEST460142509192.168.2.14103.97.132.194
          Apr 25, 2024 14:50:47.019774914 CEST250946014103.97.132.194192.168.2.14
          Apr 25, 2024 14:50:47.019793034 CEST250946014103.97.132.194192.168.2.14
          Apr 25, 2024 14:50:54.130198002 CEST460162509192.168.2.14103.97.132.194
          Apr 25, 2024 14:50:54.541059017 CEST250946016103.97.132.194192.168.2.14
          Apr 25, 2024 14:50:54.541249037 CEST460162509192.168.2.14103.97.132.194
          Apr 25, 2024 14:50:54.541249990 CEST460162509192.168.2.14103.97.132.194
          Apr 25, 2024 14:50:54.954726934 CEST250946016103.97.132.194192.168.2.14
          Apr 25, 2024 14:50:54.955085993 CEST460162509192.168.2.14103.97.132.194
          Apr 25, 2024 14:50:55.357327938 CEST250946016103.97.132.194192.168.2.14
          Apr 25, 2024 14:51:00.066003084 CEST460182509192.168.2.14103.97.132.194
          Apr 25, 2024 14:51:00.432344913 CEST250946018103.97.132.194192.168.2.14
          Apr 25, 2024 14:51:00.432526112 CEST460182509192.168.2.14103.97.132.194
          Apr 25, 2024 14:51:00.432590008 CEST460182509192.168.2.14103.97.132.194
          Apr 25, 2024 14:51:00.835263014 CEST250946018103.97.132.194192.168.2.14
          Apr 25, 2024 14:51:00.835324049 CEST250946018103.97.132.194192.168.2.14
          Apr 25, 2024 14:51:02.946482897 CEST460202509192.168.2.14103.97.132.194
          Apr 25, 2024 14:51:03.373048067 CEST250946020103.97.132.194192.168.2.14
          Apr 25, 2024 14:51:03.373323917 CEST460202509192.168.2.14103.97.132.194
          Apr 25, 2024 14:51:03.373323917 CEST460202509192.168.2.14103.97.132.194
          Apr 25, 2024 14:51:03.787590027 CEST250946020103.97.132.194192.168.2.14
          Apr 25, 2024 14:51:03.787616014 CEST250946020103.97.132.194192.168.2.14
          Apr 25, 2024 14:51:04.898832083 CEST460222509192.168.2.14103.97.132.194
          Apr 25, 2024 14:51:05.317686081 CEST250946022103.97.132.194192.168.2.14
          Apr 25, 2024 14:51:05.317895889 CEST460222509192.168.2.14103.97.132.194
          Apr 25, 2024 14:51:05.317939997 CEST460222509192.168.2.14103.97.132.194
          Apr 25, 2024 14:51:05.747172117 CEST250946022103.97.132.194192.168.2.14
          Apr 25, 2024 14:51:05.747196913 CEST250946022103.97.132.194192.168.2.14
          Apr 25, 2024 14:51:12.857842922 CEST460242509192.168.2.14103.97.132.194

          UDP Packets

          TimestampSource PortDest PortSource IPDest IP
          Apr 25, 2024 14:49:07.594655991 CEST3598953192.168.2.148.8.8.8
          Apr 25, 2024 14:49:07.705249071 CEST53359898.8.8.8192.168.2.14
          Apr 25, 2024 14:49:14.402731895 CEST3889053192.168.2.148.8.8.8
          Apr 25, 2024 14:49:14.513447046 CEST53388908.8.8.8192.168.2.14
          Apr 25, 2024 14:49:31.326630116 CEST3478653192.168.2.148.8.8.8
          Apr 25, 2024 14:49:31.437711000 CEST53347868.8.8.8192.168.2.14
          Apr 25, 2024 14:49:34.148322105 CEST5883853192.168.2.148.8.8.8
          Apr 25, 2024 14:49:34.486382008 CEST53588388.8.8.8192.168.2.14
          Apr 25, 2024 14:49:42.190171003 CEST3619153192.168.2.148.8.8.8
          Apr 25, 2024 14:49:42.301135063 CEST53361918.8.8.8192.168.2.14
          Apr 25, 2024 14:49:44.010824919 CEST4867953192.168.2.148.8.8.8
          Apr 25, 2024 14:49:44.121356964 CEST53486798.8.8.8192.168.2.14
          Apr 25, 2024 14:49:48.810484886 CEST4110853192.168.2.148.8.8.8
          Apr 25, 2024 14:49:48.921243906 CEST53411088.8.8.8192.168.2.14
          Apr 25, 2024 14:49:55.625511885 CEST4876153192.168.2.148.8.8.8
          Apr 25, 2024 14:49:56.014255047 CEST53487618.8.8.8192.168.2.14
          Apr 25, 2024 14:50:05.703217983 CEST4227653192.168.2.148.8.8.8
          Apr 25, 2024 14:50:05.813421965 CEST53422768.8.8.8192.168.2.14
          Apr 25, 2024 14:50:11.515695095 CEST3985253192.168.2.148.8.8.8
          Apr 25, 2024 14:50:11.626302958 CEST53398528.8.8.8192.168.2.14
          Apr 25, 2024 14:50:17.313421011 CEST4864753192.168.2.148.8.8.8
          Apr 25, 2024 14:50:17.424216986 CEST53486478.8.8.8192.168.2.14
          Apr 25, 2024 14:50:21.124655008 CEST4160153192.168.2.148.8.8.8
          Apr 25, 2024 14:50:21.236323118 CEST53416018.8.8.8192.168.2.14
          Apr 25, 2024 14:50:25.924396992 CEST4123253192.168.2.148.8.8.8
          Apr 25, 2024 14:50:26.035533905 CEST53412328.8.8.8192.168.2.14
          Apr 25, 2024 14:50:34.733855963 CEST6092253192.168.2.148.8.8.8
          Apr 25, 2024 14:50:34.844578981 CEST53609228.8.8.8192.168.2.14
          Apr 25, 2024 14:50:37.543596983 CEST4483853192.168.2.148.8.8.8
          Apr 25, 2024 14:50:37.653836012 CEST53448388.8.8.8192.168.2.14
          Apr 25, 2024 14:50:40.365468979 CEST5086153192.168.2.148.8.8.8
          Apr 25, 2024 14:50:40.476202965 CEST53508618.8.8.8192.168.2.14
          Apr 25, 2024 14:50:46.194844961 CEST3708853192.168.2.148.8.8.8
          Apr 25, 2024 14:50:46.306596041 CEST53370888.8.8.8192.168.2.14
          Apr 25, 2024 14:50:54.019746065 CEST3434353192.168.2.148.8.8.8
          Apr 25, 2024 14:50:54.130012035 CEST53343438.8.8.8192.168.2.14
          Apr 25, 2024 14:50:59.955142021 CEST6079753192.168.2.148.8.8.8
          Apr 25, 2024 14:51:00.065675974 CEST53607978.8.8.8192.168.2.14
          Apr 25, 2024 14:51:02.835488081 CEST4195353192.168.2.148.8.8.8
          Apr 25, 2024 14:51:02.946331024 CEST53419538.8.8.8192.168.2.14
          Apr 25, 2024 14:51:04.788008928 CEST4699653192.168.2.148.8.8.8
          Apr 25, 2024 14:51:04.898698092 CEST53469968.8.8.8192.168.2.14
          Apr 25, 2024 14:51:12.747287989 CEST5618953192.168.2.148.8.8.8
          Apr 25, 2024 14:51:12.857678890 CEST53561898.8.8.8192.168.2.14

          DNS Queries

          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
          Apr 25, 2024 14:49:07.594655991 CEST192.168.2.148.8.8.80xf115Standard query (0)eclp8oz0m8mxouv96hc9p7k2btydt3iv.clickA (IP address)IN (0x0001)false
          Apr 25, 2024 14:49:14.402731895 CEST192.168.2.148.8.8.80x631cStandard query (0)eclp8oz0m8mxouv96hc9p7k2btydt3iv.clickA (IP address)IN (0x0001)false
          Apr 25, 2024 14:49:31.326630116 CEST192.168.2.148.8.8.80x4874Standard query (0)eclp8oz0m8mxouv96hc9p7k2btydt3iv.clickA (IP address)IN (0x0001)false
          Apr 25, 2024 14:49:34.148322105 CEST192.168.2.148.8.8.80x42dStandard query (0)eclp8oz0m8mxouv96hc9p7k2btydt3iv.clickA (IP address)IN (0x0001)false
          Apr 25, 2024 14:49:42.190171003 CEST192.168.2.148.8.8.80x7b74Standard query (0)eclp8oz0m8mxouv96hc9p7k2btydt3iv.clickA (IP address)IN (0x0001)false
          Apr 25, 2024 14:49:44.010824919 CEST192.168.2.148.8.8.80x43ceStandard query (0)eclp8oz0m8mxouv96hc9p7k2btydt3iv.clickA (IP address)IN (0x0001)false
          Apr 25, 2024 14:49:48.810484886 CEST192.168.2.148.8.8.80x4885Standard query (0)eclp8oz0m8mxouv96hc9p7k2btydt3iv.clickA (IP address)IN (0x0001)false
          Apr 25, 2024 14:49:55.625511885 CEST192.168.2.148.8.8.80x604dStandard query (0)eclp8oz0m8mxouv96hc9p7k2btydt3iv.clickA (IP address)IN (0x0001)false
          Apr 25, 2024 14:50:05.703217983 CEST192.168.2.148.8.8.80xc63bStandard query (0)eclp8oz0m8mxouv96hc9p7k2btydt3iv.clickA (IP address)IN (0x0001)false
          Apr 25, 2024 14:50:11.515695095 CEST192.168.2.148.8.8.80x8b79Standard query (0)eclp8oz0m8mxouv96hc9p7k2btydt3iv.clickA (IP address)IN (0x0001)false
          Apr 25, 2024 14:50:17.313421011 CEST192.168.2.148.8.8.80x8de2Standard query (0)eclp8oz0m8mxouv96hc9p7k2btydt3iv.clickA (IP address)IN (0x0001)false
          Apr 25, 2024 14:50:21.124655008 CEST192.168.2.148.8.8.80x9f8Standard query (0)eclp8oz0m8mxouv96hc9p7k2btydt3iv.clickA (IP address)IN (0x0001)false
          Apr 25, 2024 14:50:25.924396992 CEST192.168.2.148.8.8.80xce95Standard query (0)eclp8oz0m8mxouv96hc9p7k2btydt3iv.clickA (IP address)IN (0x0001)false
          Apr 25, 2024 14:50:34.733855963 CEST192.168.2.148.8.8.80x9109Standard query (0)eclp8oz0m8mxouv96hc9p7k2btydt3iv.clickA (IP address)IN (0x0001)false
          Apr 25, 2024 14:50:37.543596983 CEST192.168.2.148.8.8.80x7e90Standard query (0)eclp8oz0m8mxouv96hc9p7k2btydt3iv.clickA (IP address)IN (0x0001)false
          Apr 25, 2024 14:50:40.365468979 CEST192.168.2.148.8.8.80xf6d0Standard query (0)eclp8oz0m8mxouv96hc9p7k2btydt3iv.clickA (IP address)IN (0x0001)false
          Apr 25, 2024 14:50:46.194844961 CEST192.168.2.148.8.8.80xe875Standard query (0)eclp8oz0m8mxouv96hc9p7k2btydt3iv.clickA (IP address)IN (0x0001)false
          Apr 25, 2024 14:50:54.019746065 CEST192.168.2.148.8.8.80xe811Standard query (0)eclp8oz0m8mxouv96hc9p7k2btydt3iv.clickA (IP address)IN (0x0001)false
          Apr 25, 2024 14:50:59.955142021 CEST192.168.2.148.8.8.80x80d3Standard query (0)eclp8oz0m8mxouv96hc9p7k2btydt3iv.clickA (IP address)IN (0x0001)false
          Apr 25, 2024 14:51:02.835488081 CEST192.168.2.148.8.8.80xb91dStandard query (0)eclp8oz0m8mxouv96hc9p7k2btydt3iv.clickA (IP address)IN (0x0001)false
          Apr 25, 2024 14:51:04.788008928 CEST192.168.2.148.8.8.80xedd9Standard query (0)eclp8oz0m8mxouv96hc9p7k2btydt3iv.clickA (IP address)IN (0x0001)false
          Apr 25, 2024 14:51:12.747287989 CEST192.168.2.148.8.8.80x8621Standard query (0)eclp8oz0m8mxouv96hc9p7k2btydt3iv.clickA (IP address)IN (0x0001)false

          DNS Answers

          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
          Apr 25, 2024 14:49:07.705249071 CEST8.8.8.8192.168.2.140xf115No error (0)eclp8oz0m8mxouv96hc9p7k2btydt3iv.click103.97.132.194A (IP address)IN (0x0001)false
          Apr 25, 2024 14:49:14.513447046 CEST8.8.8.8192.168.2.140x631cNo error (0)eclp8oz0m8mxouv96hc9p7k2btydt3iv.click103.97.132.194A (IP address)IN (0x0001)false
          Apr 25, 2024 14:49:31.437711000 CEST8.8.8.8192.168.2.140x4874No error (0)eclp8oz0m8mxouv96hc9p7k2btydt3iv.click103.97.132.194A (IP address)IN (0x0001)false
          Apr 25, 2024 14:49:34.486382008 CEST8.8.8.8192.168.2.140x42dNo error (0)eclp8oz0m8mxouv96hc9p7k2btydt3iv.click103.97.132.194A (IP address)IN (0x0001)false
          Apr 25, 2024 14:49:42.301135063 CEST8.8.8.8192.168.2.140x7b74No error (0)eclp8oz0m8mxouv96hc9p7k2btydt3iv.click103.97.132.194A (IP address)IN (0x0001)false
          Apr 25, 2024 14:49:44.121356964 CEST8.8.8.8192.168.2.140x43ceNo error (0)eclp8oz0m8mxouv96hc9p7k2btydt3iv.click103.97.132.194A (IP address)IN (0x0001)false
          Apr 25, 2024 14:49:48.921243906 CEST8.8.8.8192.168.2.140x4885No error (0)eclp8oz0m8mxouv96hc9p7k2btydt3iv.click103.97.132.194A (IP address)IN (0x0001)false
          Apr 25, 2024 14:49:56.014255047 CEST8.8.8.8192.168.2.140x604dNo error (0)eclp8oz0m8mxouv96hc9p7k2btydt3iv.click103.97.132.194A (IP address)IN (0x0001)false
          Apr 25, 2024 14:50:05.813421965 CEST8.8.8.8192.168.2.140xc63bNo error (0)eclp8oz0m8mxouv96hc9p7k2btydt3iv.click103.97.132.194A (IP address)IN (0x0001)false
          Apr 25, 2024 14:50:11.626302958 CEST8.8.8.8192.168.2.140x8b79No error (0)eclp8oz0m8mxouv96hc9p7k2btydt3iv.click103.97.132.194A (IP address)IN (0x0001)false
          Apr 25, 2024 14:50:17.424216986 CEST8.8.8.8192.168.2.140x8de2No error (0)eclp8oz0m8mxouv96hc9p7k2btydt3iv.click103.97.132.194A (IP address)IN (0x0001)false
          Apr 25, 2024 14:50:21.236323118 CEST8.8.8.8192.168.2.140x9f8No error (0)eclp8oz0m8mxouv96hc9p7k2btydt3iv.click103.97.132.194A (IP address)IN (0x0001)false
          Apr 25, 2024 14:50:26.035533905 CEST8.8.8.8192.168.2.140xce95No error (0)eclp8oz0m8mxouv96hc9p7k2btydt3iv.click103.97.132.194A (IP address)IN (0x0001)false
          Apr 25, 2024 14:50:34.844578981 CEST8.8.8.8192.168.2.140x9109No error (0)eclp8oz0m8mxouv96hc9p7k2btydt3iv.click103.97.132.194A (IP address)IN (0x0001)false
          Apr 25, 2024 14:50:37.653836012 CEST8.8.8.8192.168.2.140x7e90No error (0)eclp8oz0m8mxouv96hc9p7k2btydt3iv.click103.97.132.194A (IP address)IN (0x0001)false
          Apr 25, 2024 14:50:40.476202965 CEST8.8.8.8192.168.2.140xf6d0No error (0)eclp8oz0m8mxouv96hc9p7k2btydt3iv.click103.97.132.194A (IP address)IN (0x0001)false
          Apr 25, 2024 14:50:46.306596041 CEST8.8.8.8192.168.2.140xe875No error (0)eclp8oz0m8mxouv96hc9p7k2btydt3iv.click103.97.132.194A (IP address)IN (0x0001)false
          Apr 25, 2024 14:50:54.130012035 CEST8.8.8.8192.168.2.140xe811No error (0)eclp8oz0m8mxouv96hc9p7k2btydt3iv.click103.97.132.194A (IP address)IN (0x0001)false
          Apr 25, 2024 14:51:00.065675974 CEST8.8.8.8192.168.2.140x80d3No error (0)eclp8oz0m8mxouv96hc9p7k2btydt3iv.click103.97.132.194A (IP address)IN (0x0001)false
          Apr 25, 2024 14:51:02.946331024 CEST8.8.8.8192.168.2.140xb91dNo error (0)eclp8oz0m8mxouv96hc9p7k2btydt3iv.click103.97.132.194A (IP address)IN (0x0001)false
          Apr 25, 2024 14:51:04.898698092 CEST8.8.8.8192.168.2.140xedd9No error (0)eclp8oz0m8mxouv96hc9p7k2btydt3iv.click103.97.132.194A (IP address)IN (0x0001)false
          Apr 25, 2024 14:51:12.857678890 CEST8.8.8.8192.168.2.140x8621No error (0)eclp8oz0m8mxouv96hc9p7k2btydt3iv.click103.97.132.194A (IP address)IN (0x0001)false

          System Behavior

          General

          Start time (UTC):12:49:06
          Start date (UTC):25/04/2024
          Path:/tmp/Zz4JCR594d.elf
          Arguments:/tmp/Zz4JCR594d.elf
          File size:89576 bytes
          MD5 hash:847c9f05128358bec5a7a17e6a3524ea

          Chronological Activities


          General

          Start time (UTC):12:49:06
          Start date (UTC):25/04/2024
          Path:/tmp/Zz4JCR594d.elf
          Arguments:-
          File size:89576 bytes
          MD5 hash:847c9f05128358bec5a7a17e6a3524ea

          Chronological Activities


          General

          Start time (UTC):12:49:06
          Start date (UTC):25/04/2024
          Path:/tmp/Zz4JCR594d.elf
          Arguments:-
          File size:89576 bytes
          MD5 hash:847c9f05128358bec5a7a17e6a3524ea

          Chronological Activities