Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
FYnfAXv8TC.elf

Overview

General Information

Sample name:FYnfAXv8TC.elf
renamed because original name is a hash value
Original sample name:469fd650b7f8221cc096947e0b6dd4e8.elf
Analysis ID:1435374
MD5:469fd650b7f8221cc096947e0b6dd4e8
SHA1:7fc85e0de64c58019e18067ae7b7c5f83aeaa4b1
SHA256:b313a0db30544c71db07d031ec9681d1ff00e4474b14c10bbae3f19ceb593b28
Tags:32elfintelmirai
Infos:

Detection

Mirai, Okiru
Score:100
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Detected Mirai
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Mirai
Yara detected Okiru
Connects to many ports of the same IP (likely port scanning)
Machine Learning detection for sample
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Found strings indicative of a multi-platform dropper
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Yara signature match

Classification

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1435374
Start date and time:2024-05-02 15:59:09 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 29s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:FYnfAXv8TC.elf
renamed because original name is a hash value
Original Sample Name:469fd650b7f8221cc096947e0b6dd4e8.elf
Detection:MAL
Classification:mal100.troj.linELF@0/0@1/0

Runtime Messages

Command:/tmp/FYnfAXv8TC.elf
PID:5423
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
done.
Standard Error:

Process Tree

  • system is lnxubuntu20
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
FYnfAXv8TC.elfJoeSecurity_OkiruYara detected OkiruJoe Security
    FYnfAXv8TC.elfJoeSecurity_Mirai_3Yara detected MiraiJoe Security
      FYnfAXv8TC.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
        FYnfAXv8TC.elfLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
        • 0xf6b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0xf6cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0xf6e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0xf6f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0xf708:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0xf71c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0xf730:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0xf744:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0xf758:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0xf76c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0xf780:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0xf794:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0xf7a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0xf7bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0xf7d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0xf7e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0xf7f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0xf80c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0xf820:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0xf834:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0xf848:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        FYnfAXv8TC.elfLinux_Trojan_Mirai_b14f4c5dunknownunknown
        • 0x32f0:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
        Click to see the 5 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        5423.1.0000000008048000.000000000805a000.r-x.sdmpJoeSecurity_OkiruYara detected OkiruJoe Security
          5423.1.0000000008048000.000000000805a000.r-x.sdmpJoeSecurity_Mirai_3Yara detected MiraiJoe Security
            5423.1.0000000008048000.000000000805a000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
              5423.1.0000000008048000.000000000805a000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
              • 0xf6b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0xf6cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0xf6e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0xf6f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0xf708:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0xf71c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0xf730:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0xf744:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0xf758:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0xf76c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0xf780:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0xf794:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0xf7a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0xf7bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0xf7d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0xf7e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0xf7f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0xf80c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0xf820:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0xf834:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0xf848:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              5423.1.0000000008048000.000000000805a000.r-x.sdmpLinux_Trojan_Mirai_b14f4c5dunknownunknown
              • 0x32f0:$a: 53 31 DB 8B 4C 24 0C 8B 54 24 08 83 F9 01 76 15 66 8B 02 83 E9 02 25 FF FF 00 00 83 C2 02 01 C3 83 F9 01 77 EB 49 75 05 0F BE 02 01 C3
              Click to see the 9 entries

              Snort Signatures

              Timestamp:05/02/24-15:59:51.002337
              SID:2030490
              Source Port:47434
              Destination Port:43957
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/02/24-16:01:39.263517
              SID:2030489
              Source Port:43957
              Destination Port:47434
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: FYnfAXv8TC.elfAvira: detected
              Multi AV Scanner detection for submitted file
              Source: FYnfAXv8TC.elfVirustotal: Detection: 59%Perma Link
              Source: FYnfAXv8TC.elfReversingLabs: Detection: 63%
              Machine Learning detection for sample
              Source: FYnfAXv8TC.elfJoe Sandbox ML: detected
              Source: FYnfAXv8TC.elfString: HTTP/1.1 200 OKbot.armbot.arm5bot.arm6bot.arm7bot.mipsbot.mpslbot.x86_64bot.sh4/proc/proc/%d/cmdlinenetstatwgetcurl/bin/busybox/proc//proc/%s/exe/proc/self/exevar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/usr/lib/systemd/systemdshellmnt/sys/boot/media/srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/anko-app/ankosample _8182T_1104/usr/libexec/openssh/sftp-serverabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ3f

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.13:47434 -> 103.77.208.150:43957
              Source: TrafficSnort IDS: 2030489 ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response 103.77.208.150:43957 -> 192.168.2.13:47434
              Connects to many ports of the same IP (likely port scanning)
              Source: global trafficTCP traffic: 103.77.208.150 ports 43957,3,4,5,7,9
              Source: global trafficTCP traffic: 192.168.2.13:47434 -> 103.77.208.150:43957
              Source: global trafficDNS traffic detected: DNS query: eclp8oz0m8mxouv96hc9p7k2btydt3iv.click

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: FYnfAXv8TC.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
              Source: FYnfAXv8TC.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
              Source: FYnfAXv8TC.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
              Source: FYnfAXv8TC.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_88de437f Author: unknown
              Source: FYnfAXv8TC.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
              Source: FYnfAXv8TC.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
              Source: FYnfAXv8TC.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
              Source: 5423.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
              Source: 5423.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
              Source: 5423.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_5f7b67b8 Author: unknown
              Source: 5423.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_88de437f Author: unknown
              Source: 5423.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
              Source: 5423.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
              Source: 5423.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
              Source: Process Memory Space: FYnfAXv8TC.elf PID: 5423, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
              Source: Initial sampleString containing 'busybox' found: /bin/busybox
              Source: Initial sampleString containing 'busybox' found: HTTP/1.1 200 OKbot.armbot.arm5bot.arm6bot.arm7bot.mipsbot.mpslbot.x86_64bot.sh4/proc/proc/%d/cmdlinenetstatwgetcurl/bin/busybox/proc//proc/%s/exe/proc/self/exevar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdvar/tmp/soniahicorestm_hi3511_dvr/usr/lib/systemd/systemdshellmnt/sys/boot/media/srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/anko-app/ankosample _8182T_1104/usr/libexec/openssh/sftp-serverabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ3f
              Source: ELF static info symbol of initial sample.symtab present: no
              Source: FYnfAXv8TC.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
              Source: FYnfAXv8TC.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
              Source: FYnfAXv8TC.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
              Source: FYnfAXv8TC.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
              Source: FYnfAXv8TC.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
              Source: FYnfAXv8TC.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
              Source: FYnfAXv8TC.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
              Source: 5423.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
              Source: 5423.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
              Source: 5423.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_5f7b67b8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6cb5fb0b7c132e9c11ac72da43278025b60810ea3733c9c6d6ca966163185940, id = 5f7b67b8-3d7b-48a4-8f03-b6f2c92be92e, last_modified = 2021-09-16
              Source: 5423.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
              Source: 5423.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
              Source: 5423.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
              Source: 5423.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
              Source: Process Memory Space: FYnfAXv8TC.elf PID: 5423, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
              Source: classification engineClassification label: mal100.troj.linELF@0/0@1/0
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/230/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/110/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/231/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/111/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/232/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/112/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/233/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/113/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/234/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/114/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/235/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/115/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/236/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/116/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/237/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/117/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/238/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/118/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/239/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/119/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/914/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/10/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/917/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/11/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/12/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/13/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/14/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/15/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/16/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/17/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/18/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/3651/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/19/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/240/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/3095/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/120/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/241/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/121/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/242/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/3649/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/1/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/122/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/243/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/2/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/123/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/244/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/3/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/124/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/245/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/1588/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/125/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/4/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/246/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/126/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/5/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/247/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/127/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/6/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/248/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/128/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/7/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/249/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/129/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/8/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/800/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/9/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/1906/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/802/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/803/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/20/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/21/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/22/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/23/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/24/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/25/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/26/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/27/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/28/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/29/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/3420/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/1482/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/490/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/1480/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/250/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/371/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/130/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/251/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/131/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/252/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/132/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/253/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/254/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/1238/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/134/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/255/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/256/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/257/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/378/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/3413/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/258/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/259/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/1475/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/3652/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/3653/cmdlineJump to behavior
              Source: /tmp/FYnfAXv8TC.elf (PID: 5425)File opened: /proc/3654/cmdlineJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Mirai
              Source: Yara matchFile source: FYnfAXv8TC.elf, type: SAMPLE
              Source: Yara matchFile source: 5423.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: FYnfAXv8TC.elf PID: 5423, type: MEMORYSTR
              Yara detected Okiru
              Source: Yara matchFile source: FYnfAXv8TC.elf, type: SAMPLE
              Source: Yara matchFile source: 5423.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: FYnfAXv8TC.elf PID: 5423, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Detected Mirai
              Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
              Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response
              Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response
              Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response
              Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response
              Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response
              Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response
              Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response
              Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)
              Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response
              Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response
              Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response
              Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response
              Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response
              Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response
              Source: TrafficSnort IDS: ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response
              Yara detected Mirai
              Source: Yara matchFile source: FYnfAXv8TC.elf, type: SAMPLE
              Source: Yara matchFile source: 5423.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: FYnfAXv8TC.elf PID: 5423, type: MEMORYSTR
              Yara detected Okiru
              Source: Yara matchFile source: FYnfAXv8TC.elf, type: SAMPLE
              Source: Yara matchFile source: 5423.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: FYnfAXv8TC.elf PID: 5423, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information1
              Scripting              		Valid AccountsWindows Management Instrumentation1
              Scripting              		Path InterceptionDirect Volume Access1
              OS Credential Dumping              		System Service DiscoveryRemote ServicesData from Local System1
              Non-Standard Port              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
              Non-Application Layer Protocol              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
              Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact

              Malware Configuration

              No configs have been found

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Number of created Files
              • Is malicious
              • Internet

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              FYnfAXv8TC.elf59%VirustotalBrowse
              FYnfAXv8TC.elf63%ReversingLabsLinux.Trojan.Mirai
              FYnfAXv8TC.elf100%AviraEXP/ELF.Mirai.Z.A
              FYnfAXv8TC.elf100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              eclp8oz0m8mxouv96hc9p7k2btydt3iv.click17%VirustotalBrowse

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              eclp8oz0m8mxouv96hc9p7k2btydt3iv.click
              		103.77.208.150
              		truetrueunknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              103.77.208.150
              		eclp8oz0m8mxouv96hc9p7k2btydt3iv.clickIndia
              		10222MITL-HKMultibyteInfoTechnologyLimitedHKtrue

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              103.77.208.150nCeFglng86.elfGet hashmaliciousMirai, OkiruBrowse
                N5ARot6I5r.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  eclp8oz0m8mxouv96hc9p7k2btydt3iv.clicknCeFglng86.elfGet hashmaliciousMirai, OkiruBrowse
                  • 103.77.208.150
                  N5ARot6I5r.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                  • 103.77.208.150
                  tdL6G32dVm.elfGet hashmaliciousMirai, OkiruBrowse
                  • 103.97.132.194
                  PYLJNyF1ws.elfGet hashmaliciousMirai, OkiruBrowse
                  • 103.97.132.194
                  cpVDhYyMGO.elfGet hashmaliciousMirai, OkiruBrowse
                  • 103.97.132.194
                  Zz4JCR594d.elfGet hashmaliciousMirai, OkiruBrowse
                  • 103.97.132.194
                  2TZqqUPBJw.elfGet hashmaliciousMirai, OkiruBrowse
                  • 45.118.146.212
                  0vstnmu699.elfGet hashmaliciousMirai, OkiruBrowse
                  • 45.118.146.212
                  IA3uZEOLZ8.elfGet hashmaliciousMirai, OkiruBrowse
                  • 45.118.146.212
                  VlmPWVuJv9.elfGet hashmaliciousMirai, OkiruBrowse
                  • 45.118.146.212

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  MITL-HKMultibyteInfoTechnologyLimitedHKnCeFglng86.elfGet hashmaliciousMirai, OkiruBrowse
                  • 103.77.208.150
                  N5ARot6I5r.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                  • 103.77.208.150
                  QEdgWf1a3R.elfGet hashmaliciousUnknownBrowse
                  • 103.77.209.64
                  HOcuqnr3gd.elfGet hashmaliciousUnknownBrowse
                  • 103.77.209.64
                  hPKPsYtRza.elfGet hashmaliciousUnknownBrowse
                  • 103.77.209.64
                  x86.elfGet hashmaliciousUnknownBrowse
                  • 103.77.209.64
                  arm7.elfGet hashmaliciousMiraiBrowse
                  • 103.77.209.64
                  x86_64.elfGet hashmaliciousUnknownBrowse
                  • 103.77.209.64
                  mpsl.elfGet hashmaliciousUnknownBrowse
                  • 103.77.209.64
                  mips.elfGet hashmaliciousUnknownBrowse
                  • 103.77.209.64

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  No created / dropped files found

                  Static File Info

                  General

                  File type:ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
                  Entropy (8bit):5.71381299382395
                  TrID:
                  • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
                  • ELF Executable and Linkable format (generic) (4004/1) 49.84%
                  File name:FYnfAXv8TC.elf
                  File size:89'576 bytes
                  MD5:469fd650b7f8221cc096947e0b6dd4e8
                  SHA1:7fc85e0de64c58019e18067ae7b7c5f83aeaa4b1
                  SHA256:b313a0db30544c71db07d031ec9681d1ff00e4474b14c10bbae3f19ceb593b28
                  SHA512:dbd36feb7bbabefcc890968cc92a0685cf6d03337c48bf0ac265acd2ecc67a630ca01f306b3c476e4c3317ceb617c14424cd3c14f977b636a634825409294faf
                  SSDEEP:1536:xpmWc2AcighsZ8+/JxNcjHL1mSsM8emsJgBQ9TnkISGtAdL0xZ:xpmX2riED+/rNsHZmLFsCQ9kVTL0x
                  TLSH:B0936DC5F643D4F5E89704B1213AEB339B33F0B52019EA43D7799932ECA1511EA16B9C
                  File Content Preview:.ELF....................d...4...X\......4. ...(......................................................G..8...........Q.td............................U..S........$...h........[]...$.............U......= ....t..5...................u........t....h............

                  Static ELF Info

                  ELF header

                  Class:ELF32
                  Data:2's complement, little endian
                  Version:1 (current)
                  Machine:Intel 80386
                  Version Number:0x1
                  Type:EXEC (Executable file)
                  OS/ABI:UNIX - System V
                  ABI Version:0
                  Entry Point Address:0x8048164
                  Flags:0x0
                  ELF Header Size:52
                  Program Header Offset:52
                  Program Header Size:32
                  Number of Program Headers:3
                  Section Header Offset:89176
                  Section Header Size:40
                  Number of Section Headers:10
                  Header String Table Index:9

                  Sections

                  NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                  NULL0x00x00x00x00x0000
                  .initPROGBITS0x80480940x940x1c0x00x6AX001
                  .textPROGBITS0x80480b00xb00xf1360x00x6AX0016
                  .finiPROGBITS0x80571e60xf1e60x170x00x6AX001
                  .rodataPROGBITS0x80572000xf2000x22900x00x2A0032
                  .ctorsPROGBITS0x805a4940x114940xc0x00x3WA004
                  .dtorsPROGBITS0x805a4a00x114a00x80x00x3WA004
                  .dataPROGBITS0x805a4c00x114c00x47580x00x3WA0032
                  .bssNOBITS0x805ec200x15c180x49ac0x00x3WA0032
                  .shstrtabSTRTAB0x00x15c180x3e0x00x0001

                  Program Segments

                  TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                  LOAD0x00x80480000x80480000x114900x114906.58780x5R E0x1000.init .text .fini .rodata
                  LOAD0x114940x805a4940x805a4940x47840x91380.36350x6RW 0x1000.ctors .dtors .data .bss
                  GNU_STACK0x00x00x00x00x00.00000x6RW 0x4

                  Network Behavior

                  Snort IDS Alerts

                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                  05/02/24-15:59:51.002337TCP2030490ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)4743443957192.168.2.13103.77.208.150
                  05/02/24-16:01:39.263517TCP2030489ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response4395747434103.77.208.150192.168.2.13

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  May 2, 2024 15:59:50.539762974 CEST4743443957192.168.2.13103.77.208.150
                  May 2, 2024 15:59:51.002126932 CEST4395747434103.77.208.150192.168.2.13
                  May 2, 2024 15:59:51.002227068 CEST4743443957192.168.2.13103.77.208.150
                  May 2, 2024 15:59:51.002336979 CEST4743443957192.168.2.13103.77.208.150
                  May 2, 2024 15:59:51.462624073 CEST4395747434103.77.208.150192.168.2.13
                  May 2, 2024 15:59:51.464430094 CEST4395747434103.77.208.150192.168.2.13
                  May 2, 2024 15:59:51.464471102 CEST4743443957192.168.2.13103.77.208.150
                  May 2, 2024 15:59:59.137530088 CEST4395747434103.77.208.150192.168.2.13
                  May 2, 2024 15:59:59.137650013 CEST4743443957192.168.2.13103.77.208.150
                  May 2, 2024 16:00:09.146388054 CEST4743443957192.168.2.13103.77.208.150
                  May 2, 2024 16:00:09.659837961 CEST4395747434103.77.208.150192.168.2.13
                  May 2, 2024 16:00:19.162396908 CEST4395747434103.77.208.150192.168.2.13
                  May 2, 2024 16:00:19.162533045 CEST4743443957192.168.2.13103.77.208.150
                  May 2, 2024 16:00:39.173722029 CEST4395747434103.77.208.150192.168.2.13
                  May 2, 2024 16:00:39.173897982 CEST4743443957192.168.2.13103.77.208.150
                  May 2, 2024 16:00:59.198822021 CEST4395747434103.77.208.150192.168.2.13
                  May 2, 2024 16:00:59.198921919 CEST4743443957192.168.2.13103.77.208.150
                  May 2, 2024 16:01:19.210221052 CEST4743443957192.168.2.13103.77.208.150
                  May 2, 2024 16:01:19.237931967 CEST4395747434103.77.208.150192.168.2.13
                  May 2, 2024 16:01:19.237993956 CEST4743443957192.168.2.13103.77.208.150
                  May 2, 2024 16:01:19.670568943 CEST4395747434103.77.208.150192.168.2.13
                  May 2, 2024 16:01:39.263516903 CEST4395747434103.77.208.150192.168.2.13
                  May 2, 2024 16:01:39.263664961 CEST4743443957192.168.2.13103.77.208.150

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  May 2, 2024 15:59:50.434406996 CEST5338553192.168.2.138.8.8.8
                  May 2, 2024 15:59:50.539578915 CEST53533858.8.8.8192.168.2.13

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  May 2, 2024 15:59:50.434406996 CEST192.168.2.138.8.8.80xc0deStandard query (0)eclp8oz0m8mxouv96hc9p7k2btydt3iv.clickA (IP address)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  May 2, 2024 15:59:50.539578915 CEST8.8.8.8192.168.2.130xc0deNo error (0)eclp8oz0m8mxouv96hc9p7k2btydt3iv.click103.77.208.150A (IP address)IN (0x0001)false

                  System Behavior

                  General

                  Start time (UTC):13:59:49
                  Start date (UTC):02/05/2024
                  Path:/tmp/FYnfAXv8TC.elf
                  Arguments:/tmp/FYnfAXv8TC.elf
                  File size:89576 bytes
                  MD5 hash:469fd650b7f8221cc096947e0b6dd4e8

                  Chronological Activities


                  General

                  Start time (UTC):13:59:49
                  Start date (UTC):02/05/2024
                  Path:/tmp/FYnfAXv8TC.elf
                  Arguments:-
                  File size:89576 bytes
                  MD5 hash:469fd650b7f8221cc096947e0b6dd4e8

                  Chronological Activities


                  General

                  Start time (UTC):13:59:49
                  Start date (UTC):02/05/2024
                  Path:/tmp/FYnfAXv8TC.elf
                  Arguments:-
                  File size:89576 bytes
                  MD5 hash:469fd650b7f8221cc096947e0b6dd4e8

                  Chronological Activities