Edit tour

Linux Analysis Report
QDucAhFhA9.elf

Overview

General Information

Sample name:	QDucAhFhA9.elf renamed because original name is a hash value
Original sample name:	c308a09ef991bc198f4501964ac545c37fdd977940eb98afd955ce715774c597.elf
Analysis ID:	1598696
MD5:	f35dc2d049000545febf88fe7df3ad4f
SHA1:	e283c34b76aeec35081fb8e7a3eb623955048c5f
SHA256:	c308a09ef991bc198f4501964ac545c37fdd977940eb98afd955ce715774c597
Tags:	elfNomadPandaRedFoxtrotuser-JAMESWT_MHT
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Uses known network protocols on non-standard ports

Contains symbols related to standard C library sleeps (sometimes used to evade sandboxing)

Creates hidden files and/or directories

Executes commands using a shell command-line interpreter

Executes the "grep" command used to find patterns in files or piped streams

Executes the "systemctl" command used for controlling the systemd system and service manager

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1598696
Start date and time:	2025-01-24 16:40:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	QDucAhFhA9.elf renamed because original name is a hash value
Original Sample Name:	c308a09ef991bc198f4501964ac545c37fdd977940eb98afd955ce715774c597.elf
Detection:	MAL
Classification:	mal52.troj.linELF@0/3@2/0
Cookbook Comments:	Analysis time extended to 480s due to sleep detection in submitted sample

Warnings

Max analysis timeout: 600s exceeded, the analysis took too long

Runtime Messages

Command:	/tmp/QDucAhFhA9.elf
PID:	5418
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:	cat: '/root/.mozilla/firefox/release/prefs.js': No such file or directory cat: '/root/.mozilla/firefox/default/prefs.js': No such file or directory cat: '/root/.mozilla/firefox/release/prefs.js': No such file or directory cat: '/root/.mozilla/firefox/default/prefs.js': No such file or directory cat: '/root/.mozilla/firefox/release/prefs.js': No such file or directory cat: '/root/.mozilla/firefox/default/prefs.js': No such file or directory

Process Tree

system is lnxubuntu20

QDucAhFhA9.elf (PID: 5418, Parent: 5340, MD5: f35dc2d049000545febf88fe7df3ad4f) Arguments: /tmp/QDucAhFhA9.elf

QDucAhFhA9.elf New Fork (PID: 5419, Parent: 5418)

sh (PID: 5419, Parent: 5418, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "systemctl enable ssl-key >/dev/null 2>/dev/null"

sh New Fork (PID: 5420, Parent: 5419)

systemctl (PID: 5420, Parent: 5419, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl enable ssl-key

QDucAhFhA9.elf New Fork (PID: 5424, Parent: 5418)

QDucAhFhA9.elf New Fork (PID: 5429, Parent: 5424)

sh (PID: 5429, Parent: 5424, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat $HOME/.mozilla/firefox/*release/prefs.js | grep network.proxy.ssl"

sh New Fork (PID: 5430, Parent: 5429)

cat (PID: 5430, Parent: 5429, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /root/.mozilla/firefox/*release/prefs.js

sh New Fork (PID: 5431, Parent: 5429)

grep (PID: 5431, Parent: 5429, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep network.proxy.ssl

QDucAhFhA9.elf New Fork (PID: 5432, Parent: 5424)

sh (PID: 5432, Parent: 5424, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat $HOME/.mozilla/firefox/*default/prefs.js | grep network.proxy.ssl"

sh New Fork (PID: 5433, Parent: 5432)

cat (PID: 5433, Parent: 5432, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /root/.mozilla/firefox/*default/prefs.js

sh New Fork (PID: 5434, Parent: 5432)

grep (PID: 5434, Parent: 5432, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep network.proxy.ssl

QDucAhFhA9.elf New Fork (PID: 5435, Parent: 5424)

sh (PID: 5435, Parent: 5424, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/profile | grep https_proxy"

sh New Fork (PID: 5436, Parent: 5435)

cat (PID: 5436, Parent: 5435, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/profile

sh New Fork (PID: 5437, Parent: 5435)

grep (PID: 5437, Parent: 5435, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep https_proxy

QDucAhFhA9.elf New Fork (PID: 5485, Parent: 5424)

sh (PID: 5485, Parent: 5424, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat $HOME/.mozilla/firefox/*release/prefs.js | grep network.proxy.ssl"

sh New Fork (PID: 5486, Parent: 5485)

cat (PID: 5486, Parent: 5485, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /root/.mozilla/firefox/*release/prefs.js

sh New Fork (PID: 5487, Parent: 5485)

grep (PID: 5487, Parent: 5485, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep network.proxy.ssl

QDucAhFhA9.elf New Fork (PID: 5488, Parent: 5424)

sh (PID: 5488, Parent: 5424, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat $HOME/.mozilla/firefox/*default/prefs.js | grep network.proxy.ssl"

sh New Fork (PID: 5489, Parent: 5488)

cat (PID: 5489, Parent: 5488, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /root/.mozilla/firefox/*default/prefs.js

sh New Fork (PID: 5490, Parent: 5488)

grep (PID: 5490, Parent: 5488, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep network.proxy.ssl

QDucAhFhA9.elf New Fork (PID: 5491, Parent: 5424)

sh (PID: 5491, Parent: 5424, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/profile | grep https_proxy"

sh New Fork (PID: 5492, Parent: 5491)

cat (PID: 5492, Parent: 5491, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/profile

sh New Fork (PID: 5493, Parent: 5491)

grep (PID: 5493, Parent: 5491, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep https_proxy

QDucAhFhA9.elf New Fork (PID: 5517, Parent: 5424)

sh (PID: 5517, Parent: 5424, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat $HOME/.mozilla/firefox/*release/prefs.js | grep network.proxy.ssl"

sh New Fork (PID: 5518, Parent: 5517)

cat (PID: 5518, Parent: 5517, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /root/.mozilla/firefox/*release/prefs.js

sh New Fork (PID: 5519, Parent: 5517)

grep (PID: 5519, Parent: 5517, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep network.proxy.ssl

QDucAhFhA9.elf New Fork (PID: 5520, Parent: 5424)

sh (PID: 5520, Parent: 5424, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat $HOME/.mozilla/firefox/*default/prefs.js | grep network.proxy.ssl"

sh New Fork (PID: 5521, Parent: 5520)

cat (PID: 5521, Parent: 5520, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /root/.mozilla/firefox/*default/prefs.js

sh New Fork (PID: 5522, Parent: 5520)

grep (PID: 5522, Parent: 5520, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep network.proxy.ssl

QDucAhFhA9.elf New Fork (PID: 5525, Parent: 5424)

sh (PID: 5525, Parent: 5424, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/profile | grep https_proxy"

sh New Fork (PID: 5526, Parent: 5525)

cat (PID: 5526, Parent: 5525, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/profile

sh New Fork (PID: 5527, Parent: 5525)

grep (PID: 5527, Parent: 5525, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep https_proxy

QDucAhFhA9.elf New Fork (PID: 5549, Parent: 5424)

sh (PID: 5549, Parent: 5424, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat $HOME/.mozilla/firefox/*release/prefs.js | grep network.proxy.ssl"

sh New Fork (PID: 5550, Parent: 5549)

cat (PID: 5550, Parent: 5549, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /root/.mozilla/firefox/*release/prefs.js

sh New Fork (PID: 5551, Parent: 5549)

grep (PID: 5551, Parent: 5549, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep network.proxy.ssl

QDucAhFhA9.elf New Fork (PID: 5553, Parent: 5424)

sh (PID: 5553, Parent: 5424, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat $HOME/.mozilla/firefox/*default/prefs.js | grep network.proxy.ssl"

sh New Fork (PID: 5554, Parent: 5553)

cat (PID: 5554, Parent: 5553, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /root/.mozilla/firefox/*default/prefs.js

sh New Fork (PID: 5555, Parent: 5553)

grep (PID: 5555, Parent: 5553, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep network.proxy.ssl

QDucAhFhA9.elf New Fork (PID: 5556, Parent: 5424)

sh (PID: 5556, Parent: 5424, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/profile | grep https_proxy"

sh New Fork (PID: 5557, Parent: 5556)

cat (PID: 5557, Parent: 5556, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/profile

sh New Fork (PID: 5558, Parent: 5556)

grep (PID: 5558, Parent: 5556, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep https_proxy

QDucAhFhA9.elf New Fork (PID: 5586, Parent: 5424)

sh (PID: 5586, Parent: 5424, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat $HOME/.mozilla/firefox/*release/prefs.js | grep network.proxy.ssl"

sh New Fork (PID: 5587, Parent: 5586)

cat (PID: 5587, Parent: 5586, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /root/.mozilla/firefox/*release/prefs.js

sh New Fork (PID: 5588, Parent: 5586)

grep (PID: 5588, Parent: 5586, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep network.proxy.ssl

QDucAhFhA9.elf New Fork (PID: 5591, Parent: 5424)

sh (PID: 5591, Parent: 5424, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat $HOME/.mozilla/firefox/*default/prefs.js | grep network.proxy.ssl"

sh New Fork (PID: 5592, Parent: 5591)

cat (PID: 5592, Parent: 5591, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /root/.mozilla/firefox/*default/prefs.js

sh New Fork (PID: 5593, Parent: 5591)

grep (PID: 5593, Parent: 5591, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep network.proxy.ssl

QDucAhFhA9.elf New Fork (PID: 5594, Parent: 5424)

sh (PID: 5594, Parent: 5424, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/profile | grep https_proxy"

sh New Fork (PID: 5595, Parent: 5594)

cat (PID: 5595, Parent: 5594, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/profile

sh New Fork (PID: 5596, Parent: 5594)

grep (PID: 5596, Parent: 5594, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep https_proxy

QDucAhFhA9.elf New Fork (PID: 5616, Parent: 5424)

sh (PID: 5616, Parent: 5424, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat $HOME/.mozilla/firefox/*release/prefs.js | grep network.proxy.ssl"

sh New Fork (PID: 5617, Parent: 5616)

cat (PID: 5617, Parent: 5616, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /root/.mozilla/firefox/*release/prefs.js

sh New Fork (PID: 5618, Parent: 5616)

grep (PID: 5618, Parent: 5616, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep network.proxy.ssl

QDucAhFhA9.elf New Fork (PID: 5619, Parent: 5424)

sh (PID: 5619, Parent: 5424, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat $HOME/.mozilla/firefox/*default/prefs.js | grep network.proxy.ssl"

sh New Fork (PID: 5620, Parent: 5619)

cat (PID: 5620, Parent: 5619, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /root/.mozilla/firefox/*default/prefs.js

sh New Fork (PID: 5621, Parent: 5619)

grep (PID: 5621, Parent: 5619, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep network.proxy.ssl

QDucAhFhA9.elf New Fork (PID: 5622, Parent: 5424)

sh (PID: 5622, Parent: 5424, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/profile | grep https_proxy"

sh New Fork (PID: 5623, Parent: 5622)

cat (PID: 5623, Parent: 5622, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/profile

sh New Fork (PID: 5624, Parent: 5622)

grep (PID: 5624, Parent: 5622, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep https_proxy

QDucAhFhA9.elf New Fork (PID: 5650, Parent: 5424)

sh (PID: 5650, Parent: 5424, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat $HOME/.mozilla/firefox/*release/prefs.js | grep network.proxy.ssl"

sh New Fork (PID: 5651, Parent: 5650)

cat (PID: 5651, Parent: 5650, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /root/.mozilla/firefox/*release/prefs.js

sh New Fork (PID: 5652, Parent: 5650)

grep (PID: 5652, Parent: 5650, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep network.proxy.ssl

QDucAhFhA9.elf New Fork (PID: 5653, Parent: 5424)

sh (PID: 5653, Parent: 5424, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat $HOME/.mozilla/firefox/*default/prefs.js | grep network.proxy.ssl"

sh New Fork (PID: 5654, Parent: 5653)

cat (PID: 5654, Parent: 5653, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /root/.mozilla/firefox/*default/prefs.js

sh New Fork (PID: 5655, Parent: 5653)

grep (PID: 5655, Parent: 5653, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep network.proxy.ssl

QDucAhFhA9.elf New Fork (PID: 5656, Parent: 5424)

sh (PID: 5656, Parent: 5424, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/profile | grep https_proxy"

sh New Fork (PID: 5657, Parent: 5656)

cat (PID: 5657, Parent: 5656, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/profile

sh New Fork (PID: 5658, Parent: 5656)

grep (PID: 5658, Parent: 5656, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep https_proxy

QDucAhFhA9.elf New Fork (PID: 5702, Parent: 5424)

sh (PID: 5702, Parent: 5424, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat $HOME/.mozilla/firefox/*release/prefs.js | grep network.proxy.ssl"

sh New Fork (PID: 5703, Parent: 5702)

cat (PID: 5703, Parent: 5702, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /root/.mozilla/firefox/*release/prefs.js

sh New Fork (PID: 5704, Parent: 5702)

grep (PID: 5704, Parent: 5702, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep network.proxy.ssl

QDucAhFhA9.elf New Fork (PID: 5705, Parent: 5424)

sh (PID: 5705, Parent: 5424, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat $HOME/.mozilla/firefox/*default/prefs.js | grep network.proxy.ssl"

sh New Fork (PID: 5706, Parent: 5705)

cat (PID: 5706, Parent: 5705, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /root/.mozilla/firefox/*default/prefs.js

sh New Fork (PID: 5707, Parent: 5705)

grep (PID: 5707, Parent: 5705, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep network.proxy.ssl

QDucAhFhA9.elf New Fork (PID: 5708, Parent: 5424)

sh (PID: 5708, Parent: 5424, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/profile | grep https_proxy"

sh New Fork (PID: 5709, Parent: 5708)

cat (PID: 5709, Parent: 5708, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/profile

sh New Fork (PID: 5710, Parent: 5708)

grep (PID: 5710, Parent: 5708, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep https_proxy

QDucAhFhA9.elf New Fork (PID: 5730, Parent: 5424)

sh (PID: 5730, Parent: 5424, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat $HOME/.mozilla/firefox/*release/prefs.js | grep network.proxy.ssl"

sh New Fork (PID: 5731, Parent: 5730)

cat (PID: 5731, Parent: 5730, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /root/.mozilla/firefox/*release/prefs.js

sh New Fork (PID: 5732, Parent: 5730)

grep (PID: 5732, Parent: 5730, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep network.proxy.ssl

QDucAhFhA9.elf New Fork (PID: 5733, Parent: 5424)

sh (PID: 5733, Parent: 5424, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat $HOME/.mozilla/firefox/*default/prefs.js | grep network.proxy.ssl"

sh New Fork (PID: 5734, Parent: 5733)

cat (PID: 5734, Parent: 5733, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /root/.mozilla/firefox/*default/prefs.js

sh New Fork (PID: 5735, Parent: 5733)

grep (PID: 5735, Parent: 5733, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep network.proxy.ssl

QDucAhFhA9.elf New Fork (PID: 5736, Parent: 5424)

sh (PID: 5736, Parent: 5424, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/profile | grep https_proxy"

sh New Fork (PID: 5737, Parent: 5736)

cat (PID: 5737, Parent: 5736, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/profile

sh New Fork (PID: 5738, Parent: 5736)

grep (PID: 5738, Parent: 5736, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep https_proxy

QDucAhFhA9.elf New Fork (PID: 5759, Parent: 5424)

sh (PID: 5759, Parent: 5424, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat $HOME/.mozilla/firefox/*release/prefs.js | grep network.proxy.ssl"

sh New Fork (PID: 5760, Parent: 5759)

cat (PID: 5760, Parent: 5759, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /root/.mozilla/firefox/*release/prefs.js

sh New Fork (PID: 5761, Parent: 5759)

grep (PID: 5761, Parent: 5759, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep network.proxy.ssl

QDucAhFhA9.elf New Fork (PID: 5762, Parent: 5424)

sh (PID: 5762, Parent: 5424, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat $HOME/.mozilla/firefox/*default/prefs.js | grep network.proxy.ssl"

sh New Fork (PID: 5763, Parent: 5762)

cat (PID: 5763, Parent: 5762, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /root/.mozilla/firefox/*default/prefs.js

sh New Fork (PID: 5764, Parent: 5762)

grep (PID: 5764, Parent: 5762, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep network.proxy.ssl

QDucAhFhA9.elf New Fork (PID: 5765, Parent: 5424)

sh (PID: 5765, Parent: 5424, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/profile | grep https_proxy"

sh New Fork (PID: 5766, Parent: 5765)

cat (PID: 5766, Parent: 5765, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/profile

sh New Fork (PID: 5767, Parent: 5765)

grep (PID: 5767, Parent: 5765, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep https_proxy

QDucAhFhA9.elf New Fork (PID: 5789, Parent: 5424)

sh (PID: 5789, Parent: 5424, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat $HOME/.mozilla/firefox/*release/prefs.js | grep network.proxy.ssl"

sh New Fork (PID: 5790, Parent: 5789)

cat (PID: 5790, Parent: 5789, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /root/.mozilla/firefox/*release/prefs.js

sh New Fork (PID: 5791, Parent: 5789)

grep (PID: 5791, Parent: 5789, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep network.proxy.ssl

QDucAhFhA9.elf New Fork (PID: 5792, Parent: 5424)

sh (PID: 5792, Parent: 5424, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat $HOME/.mozilla/firefox/*default/prefs.js | grep network.proxy.ssl"

sh New Fork (PID: 5793, Parent: 5792)

cat (PID: 5793, Parent: 5792, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /root/.mozilla/firefox/*default/prefs.js

sh New Fork (PID: 5794, Parent: 5792)

grep (PID: 5794, Parent: 5792, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep network.proxy.ssl

QDucAhFhA9.elf New Fork (PID: 5795, Parent: 5424)

sh (PID: 5795, Parent: 5424, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/profile | grep https_proxy"

sh New Fork (PID: 5796, Parent: 5795)

cat (PID: 5796, Parent: 5795, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/profile

sh New Fork (PID: 5797, Parent: 5795)

grep (PID: 5797, Parent: 5795, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep https_proxy

QDucAhFhA9.elf New Fork (PID: 5823, Parent: 5424)

sh (PID: 5823, Parent: 5424, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat $HOME/.mozilla/firefox/*release/prefs.js | grep network.proxy.ssl"

sh New Fork (PID: 5824, Parent: 5823)

cat (PID: 5824, Parent: 5823, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /root/.mozilla/firefox/*release/prefs.js

sh New Fork (PID: 5825, Parent: 5823)

grep (PID: 5825, Parent: 5823, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep network.proxy.ssl

QDucAhFhA9.elf New Fork (PID: 5826, Parent: 5424)

sh (PID: 5826, Parent: 5424, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat $HOME/.mozilla/firefox/*default/prefs.js | grep network.proxy.ssl"

sh New Fork (PID: 5827, Parent: 5826)

cat (PID: 5827, Parent: 5826, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /root/.mozilla/firefox/*default/prefs.js

sh New Fork (PID: 5828, Parent: 5826)

grep (PID: 5828, Parent: 5826, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep network.proxy.ssl

QDucAhFhA9.elf New Fork (PID: 5829, Parent: 5424)

sh (PID: 5829, Parent: 5424, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "cat /etc/profile | grep https_proxy"

sh New Fork (PID: 5830, Parent: 5829)

cat (PID: 5830, Parent: 5829, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /etc/profile

sh New Fork (PID: 5831, Parent: 5829)

grep (PID: 5831, Parent: 5829, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep https_proxy

systemd New Fork (PID: 5422, Parent: 5421)

snapd-env-generator (PID: 5422, Parent: 5421, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: QDucAhFhA9.elf	Virustotal: Detection: 51%			Perma Link
Source: QDucAhFhA9.elf	ReversingLabs: Detection: 44%

Networking

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 50084 -> 3128
Source: unknown	Network traffic detected: HTTP traffic on port 50086 -> 3128
Source: unknown	Network traffic detected: HTTP traffic on port 50090 -> 3128
Source: unknown	Network traffic detected: HTTP traffic on port 50092 -> 3128
Source: unknown	Network traffic detected: HTTP traffic on port 50096 -> 3128
Source: unknown	Network traffic detected: HTTP traffic on port 50098 -> 3128
Source: unknown	Network traffic detected: HTTP traffic on port 50102 -> 3128
Source: unknown	Network traffic detected: HTTP traffic on port 50104 -> 3128
Source: unknown	Network traffic detected: HTTP traffic on port 50108 -> 3128
Source: unknown	Network traffic detected: HTTP traffic on port 50110 -> 3128
Source: unknown	Network traffic detected: HTTP traffic on port 50114 -> 3128
Source: unknown	Network traffic detected: HTTP traffic on port 50116 -> 3128
Source: unknown	Network traffic detected: HTTP traffic on port 50120 -> 3128
Source: unknown	Network traffic detected: HTTP traffic on port 50122 -> 3128
Source: unknown	Network traffic detected: HTTP traffic on port 50126 -> 3128
Source: unknown	Network traffic detected: HTTP traffic on port 50128 -> 3128
Source: unknown	Network traffic detected: HTTP traffic on port 50132 -> 3128
Source: unknown	Network traffic detected: HTTP traffic on port 50134 -> 3128
Source: unknown	Network traffic detected: HTTP traffic on port 50138 -> 3128
Source: unknown	Network traffic detected: HTTP traffic on port 50140 -> 3128
Source: unknown	Network traffic detected: HTTP traffic on port 50144 -> 3128
Source: unknown	Network traffic detected: HTTP traffic on port 50146 -> 3128
Source: unknown	Network traffic detected: HTTP traffic on port 50150 -> 3128
Source: unknown	Network traffic detected: HTTP traffic on port 50152 -> 3128

Source: unknown	TCP traffic detected without corresponding DNS query: 95.179.223.245
Source: unknown	TCP traffic detected without corresponding DNS query: 95.179.223.245
Source: unknown	TCP traffic detected without corresponding DNS query: 95.179.223.245
Source: unknown	TCP traffic detected without corresponding DNS query: 95.179.223.245
Source: unknown	TCP traffic detected without corresponding DNS query: 95.179.223.245
Source: unknown	TCP traffic detected without corresponding DNS query: 95.179.223.245
Source: unknown	TCP traffic detected without corresponding DNS query: 95.179.223.245
Source: unknown	TCP traffic detected without corresponding DNS query: 95.179.223.245
Source: unknown	TCP traffic detected without corresponding DNS query: 95.179.223.245
Source: unknown	TCP traffic detected without corresponding DNS query: 95.179.223.245
Source: unknown	TCP traffic detected without corresponding DNS query: 95.179.223.245
Source: unknown	TCP traffic detected without corresponding DNS query: 95.179.223.245
Source: unknown	TCP traffic detected without corresponding DNS query: 95.179.223.245
Source: unknown	TCP traffic detected without corresponding DNS query: 95.179.223.245
Source: unknown	TCP traffic detected without corresponding DNS query: 95.179.223.245
Source: unknown	TCP traffic detected without corresponding DNS query: 95.179.223.245
Source: unknown	TCP traffic detected without corresponding DNS query: 95.179.223.245
Source: unknown	TCP traffic detected without corresponding DNS query: 95.179.223.245
Source: unknown	TCP traffic detected without corresponding DNS query: 95.179.223.245
Source: unknown	TCP traffic detected without corresponding DNS query: 95.179.223.245
Source: unknown	TCP traffic detected without corresponding DNS query: 95.179.223.245
Source: unknown	TCP traffic detected without corresponding DNS query: 95.179.223.245
Source: unknown	TCP traffic detected without corresponding DNS query: 95.179.223.245
Source: unknown	TCP traffic detected without corresponding DNS query: 95.179.223.245
Source: unknown	TCP traffic detected without corresponding DNS query: 95.179.223.245
Source: unknown	TCP traffic detected without corresponding DNS query: 95.179.223.245
Source: unknown	TCP traffic detected without corresponding DNS query: 95.179.223.245
Source: unknown	TCP traffic detected without corresponding DNS query: 95.179.223.245
Source: unknown	TCP traffic detected without corresponding DNS query: 95.179.223.245
Source: unknown	TCP traffic detected without corresponding DNS query: 95.179.223.245
Source: unknown	TCP traffic detected without corresponding DNS query: 95.179.223.245
Source: unknown	TCP traffic detected without corresponding DNS query: 95.179.223.245
Source: unknown	TCP traffic detected without corresponding DNS query: 95.179.223.245
Source: unknown	TCP traffic detected without corresponding DNS query: 95.179.223.245
Source: unknown	TCP traffic detected without corresponding DNS query: 95.179.223.245
Source: unknown	TCP traffic detected without corresponding DNS query: 95.179.223.245

Source: global traffic

DNS traffic detected: DNS query: daisy.ubuntu.com

Source: unknown	Network traffic detected: HTTP traffic on port 59730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59748
Source: unknown	Network traffic detected: HTTP traffic on port 59724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59778
Source: unknown	Network traffic detected: HTTP traffic on port 59760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59766
Source: unknown	Network traffic detected: HTTP traffic on port 59784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59736
Source: unknown	Network traffic detected: HTTP traffic on port 59766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59724
Source: unknown	Network traffic detected: HTTP traffic on port 59748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59784
Source: unknown	Network traffic detected: HTTP traffic on port 59742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59760
Source: unknown	Network traffic detected: HTTP traffic on port 59736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59772 -> 443

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal52.troj.linELF@0/3@2/0

Source: /tmp/QDucAhFhA9.elf (PID: 5418)

Directory: /root/.config

Jump to behavior

Source: /tmp/QDucAhFhA9.elf (PID: 5419)	Shell command executed: sh -c "systemctl enable ssl-key >/dev/null 2>/dev/null"	Jump to behavior
Source: /tmp/QDucAhFhA9.elf (PID: 5429)	Shell command executed: sh -c "cat $HOME/.mozilla/firefox/*release/prefs.js \| grep network.proxy.ssl"	Jump to behavior
Source: /tmp/QDucAhFhA9.elf (PID: 5432)	Shell command executed: sh -c "cat $HOME/.mozilla/firefox/*default/prefs.js \| grep network.proxy.ssl"	Jump to behavior
Source: /tmp/QDucAhFhA9.elf (PID: 5435)	Shell command executed: sh -c "cat /etc/profile \| grep https_proxy"	Jump to behavior
Source: /tmp/QDucAhFhA9.elf (PID: 5485)	Shell command executed: sh -c "cat $HOME/.mozilla/firefox/*release/prefs.js \| grep network.proxy.ssl"	Jump to behavior
Source: /tmp/QDucAhFhA9.elf (PID: 5488)	Shell command executed: sh -c "cat $HOME/.mozilla/firefox/*default/prefs.js \| grep network.proxy.ssl"	Jump to behavior
Source: /tmp/QDucAhFhA9.elf (PID: 5491)	Shell command executed: sh -c "cat /etc/profile \| grep https_proxy"	Jump to behavior
Source: /tmp/QDucAhFhA9.elf (PID: 5517)	Shell command executed: sh -c "cat $HOME/.mozilla/firefox/*release/prefs.js \| grep network.proxy.ssl"	Jump to behavior
Source: /tmp/QDucAhFhA9.elf (PID: 5520)	Shell command executed: sh -c "cat $HOME/.mozilla/firefox/*default/prefs.js \| grep network.proxy.ssl"	Jump to behavior
Source: /tmp/QDucAhFhA9.elf (PID: 5525)	Shell command executed: sh -c "cat /etc/profile \| grep https_proxy"	Jump to behavior
Source: /tmp/QDucAhFhA9.elf (PID: 5549)	Shell command executed: sh -c "cat $HOME/.mozilla/firefox/*release/prefs.js \| grep network.proxy.ssl"	Jump to behavior
Source: /tmp/QDucAhFhA9.elf (PID: 5553)	Shell command executed: sh -c "cat $HOME/.mozilla/firefox/*default/prefs.js \| grep network.proxy.ssl"	Jump to behavior
Source: /tmp/QDucAhFhA9.elf (PID: 5556)	Shell command executed: sh -c "cat /etc/profile \| grep https_proxy"	Jump to behavior
Source: /tmp/QDucAhFhA9.elf (PID: 5586)	Shell command executed: sh -c "cat $HOME/.mozilla/firefox/*release/prefs.js \| grep network.proxy.ssl"	Jump to behavior
Source: /tmp/QDucAhFhA9.elf (PID: 5591)	Shell command executed: sh -c "cat $HOME/.mozilla/firefox/*default/prefs.js \| grep network.proxy.ssl"	Jump to behavior
Source: /tmp/QDucAhFhA9.elf (PID: 5594)	Shell command executed: sh -c "cat /etc/profile \| grep https_proxy"	Jump to behavior
Source: /tmp/QDucAhFhA9.elf (PID: 5616)	Shell command executed: sh -c "cat $HOME/.mozilla/firefox/*release/prefs.js \| grep network.proxy.ssl"	Jump to behavior
Source: /tmp/QDucAhFhA9.elf (PID: 5619)	Shell command executed: sh -c "cat $HOME/.mozilla/firefox/*default/prefs.js \| grep network.proxy.ssl"	Jump to behavior
Source: /tmp/QDucAhFhA9.elf (PID: 5622)	Shell command executed: sh -c "cat /etc/profile \| grep https_proxy"	Jump to behavior
Source: /tmp/QDucAhFhA9.elf (PID: 5650)	Shell command executed: sh -c "cat $HOME/.mozilla/firefox/*release/prefs.js \| grep network.proxy.ssl"	Jump to behavior
Source: /tmp/QDucAhFhA9.elf (PID: 5653)	Shell command executed: sh -c "cat $HOME/.mozilla/firefox/*default/prefs.js \| grep network.proxy.ssl"	Jump to behavior
Source: /tmp/QDucAhFhA9.elf (PID: 5656)	Shell command executed: sh -c "cat /etc/profile \| grep https_proxy"	Jump to behavior
Source: /tmp/QDucAhFhA9.elf (PID: 5702)	Shell command executed: sh -c "cat $HOME/.mozilla/firefox/*release/prefs.js \| grep network.proxy.ssl"	Jump to behavior
Source: /tmp/QDucAhFhA9.elf (PID: 5705)	Shell command executed: sh -c "cat $HOME/.mozilla/firefox/*default/prefs.js \| grep network.proxy.ssl"	Jump to behavior
Source: /tmp/QDucAhFhA9.elf (PID: 5708)	Shell command executed: sh -c "cat /etc/profile \| grep https_proxy"	Jump to behavior
Source: /tmp/QDucAhFhA9.elf (PID: 5730)	Shell command executed: sh -c "cat $HOME/.mozilla/firefox/*release/prefs.js \| grep network.proxy.ssl"	Jump to behavior
Source: /tmp/QDucAhFhA9.elf (PID: 5733)	Shell command executed: sh -c "cat $HOME/.mozilla/firefox/*default/prefs.js \| grep network.proxy.ssl"	Jump to behavior
Source: /tmp/QDucAhFhA9.elf (PID: 5736)	Shell command executed: sh -c "cat /etc/profile \| grep https_proxy"	Jump to behavior
Source: /tmp/QDucAhFhA9.elf (PID: 5759)	Shell command executed: sh -c "cat $HOME/.mozilla/firefox/*release/prefs.js \| grep network.proxy.ssl"	Jump to behavior
Source: /tmp/QDucAhFhA9.elf (PID: 5762)	Shell command executed: sh -c "cat $HOME/.mozilla/firefox/*default/prefs.js \| grep network.proxy.ssl"	Jump to behavior
Source: /tmp/QDucAhFhA9.elf (PID: 5765)	Shell command executed: sh -c "cat /etc/profile \| grep https_proxy"	Jump to behavior
Source: /tmp/QDucAhFhA9.elf (PID: 5789)	Shell command executed: sh -c "cat $HOME/.mozilla/firefox/*release/prefs.js \| grep network.proxy.ssl"	Jump to behavior
Source: /tmp/QDucAhFhA9.elf (PID: 5792)	Shell command executed: sh -c "cat $HOME/.mozilla/firefox/*default/prefs.js \| grep network.proxy.ssl"	Jump to behavior
Source: /tmp/QDucAhFhA9.elf (PID: 5795)	Shell command executed: sh -c "cat /etc/profile \| grep https_proxy"	Jump to behavior
Source: /tmp/QDucAhFhA9.elf (PID: 5823)	Shell command executed: sh -c "cat $HOME/.mozilla/firefox/*release/prefs.js \| grep network.proxy.ssl"	Jump to behavior
Source: /tmp/QDucAhFhA9.elf (PID: 5826)	Shell command executed: sh -c "cat $HOME/.mozilla/firefox/*default/prefs.js \| grep network.proxy.ssl"	Jump to behavior
Source: /tmp/QDucAhFhA9.elf (PID: 5829)	Shell command executed: sh -c "cat /etc/profile \| grep https_proxy"	Jump to behavior

Source: /bin/sh (PID: 5431)	Grep executable: /usr/bin/grep -> grep network.proxy.ssl	Jump to behavior
Source: /bin/sh (PID: 5434)	Grep executable: /usr/bin/grep -> grep network.proxy.ssl	Jump to behavior
Source: /bin/sh (PID: 5437)	Grep executable: /usr/bin/grep -> grep https_proxy	Jump to behavior
Source: /bin/sh (PID: 5487)	Grep executable: /usr/bin/grep -> grep network.proxy.ssl	Jump to behavior
Source: /bin/sh (PID: 5490)	Grep executable: /usr/bin/grep -> grep network.proxy.ssl	Jump to behavior
Source: /bin/sh (PID: 5493)	Grep executable: /usr/bin/grep -> grep https_proxy	Jump to behavior
Source: /bin/sh (PID: 5519)	Grep executable: /usr/bin/grep -> grep network.proxy.ssl	Jump to behavior
Source: /bin/sh (PID: 5522)	Grep executable: /usr/bin/grep -> grep network.proxy.ssl	Jump to behavior
Source: /bin/sh (PID: 5527)	Grep executable: /usr/bin/grep -> grep https_proxy	Jump to behavior
Source: /bin/sh (PID: 5551)	Grep executable: /usr/bin/grep -> grep network.proxy.ssl	Jump to behavior
Source: /bin/sh (PID: 5555)	Grep executable: /usr/bin/grep -> grep network.proxy.ssl	Jump to behavior
Source: /bin/sh (PID: 5558)	Grep executable: /usr/bin/grep -> grep https_proxy	Jump to behavior
Source: /bin/sh (PID: 5588)	Grep executable: /usr/bin/grep -> grep network.proxy.ssl	Jump to behavior
Source: /bin/sh (PID: 5593)	Grep executable: /usr/bin/grep -> grep network.proxy.ssl	Jump to behavior
Source: /bin/sh (PID: 5596)	Grep executable: /usr/bin/grep -> grep https_proxy	Jump to behavior
Source: /bin/sh (PID: 5618)	Grep executable: /usr/bin/grep -> grep network.proxy.ssl	Jump to behavior
Source: /bin/sh (PID: 5621)	Grep executable: /usr/bin/grep -> grep network.proxy.ssl	Jump to behavior
Source: /bin/sh (PID: 5624)	Grep executable: /usr/bin/grep -> grep https_proxy	Jump to behavior
Source: /bin/sh (PID: 5652)	Grep executable: /usr/bin/grep -> grep network.proxy.ssl	Jump to behavior
Source: /bin/sh (PID: 5655)	Grep executable: /usr/bin/grep -> grep network.proxy.ssl	Jump to behavior
Source: /bin/sh (PID: 5658)	Grep executable: /usr/bin/grep -> grep https_proxy	Jump to behavior
Source: /bin/sh (PID: 5704)	Grep executable: /usr/bin/grep -> grep network.proxy.ssl	Jump to behavior
Source: /bin/sh (PID: 5707)	Grep executable: /usr/bin/grep -> grep network.proxy.ssl	Jump to behavior
Source: /bin/sh (PID: 5710)	Grep executable: /usr/bin/grep -> grep https_proxy	Jump to behavior
Source: /bin/sh (PID: 5732)	Grep executable: /usr/bin/grep -> grep network.proxy.ssl	Jump to behavior
Source: /bin/sh (PID: 5735)	Grep executable: /usr/bin/grep -> grep network.proxy.ssl	Jump to behavior
Source: /bin/sh (PID: 5738)	Grep executable: /usr/bin/grep -> grep https_proxy	Jump to behavior
Source: /bin/sh (PID: 5761)	Grep executable: /usr/bin/grep -> grep network.proxy.ssl	Jump to behavior
Source: /bin/sh (PID: 5764)	Grep executable: /usr/bin/grep -> grep network.proxy.ssl	Jump to behavior
Source: /bin/sh (PID: 5767)	Grep executable: /usr/bin/grep -> grep https_proxy	Jump to behavior
Source: /bin/sh (PID: 5791)	Grep executable: /usr/bin/grep -> grep network.proxy.ssl	Jump to behavior
Source: /bin/sh (PID: 5794)	Grep executable: /usr/bin/grep -> grep network.proxy.ssl	Jump to behavior
Source: /bin/sh (PID: 5797)	Grep executable: /usr/bin/grep -> grep https_proxy	Jump to behavior
Source: /bin/sh (PID: 5825)	Grep executable: /usr/bin/grep -> grep network.proxy.ssl	Jump to behavior
Source: /bin/sh (PID: 5828)	Grep executable: /usr/bin/grep -> grep network.proxy.ssl	Jump to behavior
Source: /bin/sh (PID: 5831)	Grep executable: /usr/bin/grep -> grep https_proxy	Jump to behavior

Source: /bin/sh (PID: 5420)

Systemctl executable: /usr/bin/systemctl -> systemctl enable ssl-key

Jump to behavior

Source: submitted sample

Stderr: cat: '/root/.mozilla/firefox/*release/prefs.js': No such file or directorycat: '/root/.mozilla/firefox/*default/prefs.js': No such file or directorycat: '/root/.mozilla/firefox/*release/prefs.js': No such file or directorycat: '/root/.mozilla/firefox/*default/prefs.js': No such file or directorycat: '/root/.mozilla/firefox/*release/prefs.js': No such file or directorycat: '/root/.mozilla/firefox/*default/prefs.js': No such file or directory: exit code = 0

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 50084 -> 3128
Source: unknown	Network traffic detected: HTTP traffic on port 50086 -> 3128
Source: unknown	Network traffic detected: HTTP traffic on port 50090 -> 3128
Source: unknown	Network traffic detected: HTTP traffic on port 50092 -> 3128
Source: unknown	Network traffic detected: HTTP traffic on port 50096 -> 3128
Source: unknown	Network traffic detected: HTTP traffic on port 50098 -> 3128
Source: unknown	Network traffic detected: HTTP traffic on port 50102 -> 3128
Source: unknown	Network traffic detected: HTTP traffic on port 50104 -> 3128
Source: unknown	Network traffic detected: HTTP traffic on port 50108 -> 3128
Source: unknown	Network traffic detected: HTTP traffic on port 50110 -> 3128
Source: unknown	Network traffic detected: HTTP traffic on port 50114 -> 3128
Source: unknown	Network traffic detected: HTTP traffic on port 50116 -> 3128
Source: unknown	Network traffic detected: HTTP traffic on port 50120 -> 3128
Source: unknown	Network traffic detected: HTTP traffic on port 50122 -> 3128
Source: unknown	Network traffic detected: HTTP traffic on port 50126 -> 3128
Source: unknown	Network traffic detected: HTTP traffic on port 50128 -> 3128
Source: unknown	Network traffic detected: HTTP traffic on port 50132 -> 3128
Source: unknown	Network traffic detected: HTTP traffic on port 50134 -> 3128
Source: unknown	Network traffic detected: HTTP traffic on port 50138 -> 3128
Source: unknown	Network traffic detected: HTTP traffic on port 50140 -> 3128
Source: unknown	Network traffic detected: HTTP traffic on port 50144 -> 3128
Source: unknown	Network traffic detected: HTTP traffic on port 50146 -> 3128
Source: unknown	Network traffic detected: HTTP traffic on port 50150 -> 3128
Source: unknown	Network traffic detected: HTTP traffic on port 50152 -> 3128

Source: ELF symbol in initial sample

Symbol name: sleep

Source: /tmp/QDucAhFhA9.elf (PID: 5418)	Queries kernel information via 'uname':			Jump to behavior
Source: /tmp/QDucAhFhA9.elf (PID: 5424)	Queries kernel information via 'uname':			Jump to behavior

Source: QDucAhFhA9.elf	Binary or memory string: cat /proc/scsi/scsi \| grep -i -E 'VMWare\|VirtualBox'
Source: QDucAhFhA9.elf	Binary or memory string: @Maincat /proc/scsi/scsi \| grep -i -E 'VMWare\|VirtualBox'CONNECT %s:%d HTTP/1.1

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Systemd Service	1 Systemd Service	1 Virtualization/Sandbox Evasion	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scripting	Boot or Logon Initialization Scripts	1 Hidden Files and Directories	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
QDucAhFhA9.elf	52%	Virustotal		Browse
QDucAhFhA9.elf	45%	ReversingLabs	Linux.Trojan.Generic

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
daisy.ubuntu.com	162.213.35.24	true	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
95.179.223.245	unknown	Netherlands		20473	AS-CHOOPAUS	false

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
daisy.ubuntu.com	arm6.elf	Get hash	malicious	Unknown	Browse	162.213.35.25
	ppc.elf	Get hash	malicious	Mirai, Moobot	Browse	162.213.35.24
	arm-20250124-1346.elf	Get hash	malicious	Mirai, Moobot	Browse	162.213.35.25
	arm6-20250124-1345.elf	Get hash	malicious	Mirai, Moobot	Browse	162.213.35.24
	mips-20250124-1345.elf	Get hash	malicious	Mirai, Moobot	Browse	162.213.35.25
	sh4.elf	Get hash	malicious	Mirai, Moobot	Browse	162.213.35.24
	spc.elf	Get hash	malicious	Mirai, Moobot	Browse	162.213.35.25
	ppc.elf	Get hash	malicious	Mirai, Moobot	Browse	162.213.35.25
	mips.elf	Get hash	malicious	Mirai, Moobot	Browse	162.213.35.25
	arm6.elf	Get hash	malicious	Mirai, Moobot	Browse	162.213.35.24

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-CHOOPAUS	http://home45insurance.blogspot.com	Get hash	malicious	Unknown	Browse	45.63.66.114
	XClient.exe	Get hash	malicious	XWorm	Browse	45.32.153.7
	https://metameaskloginr.webflow.io/	Get hash	malicious	Unknown	Browse	155.138.141.200
	l.js	Get hash	malicious	Unknown	Browse	149.248.58.85
	l.js	Get hash	malicious	Unknown	Browse	149.248.58.85
	rad59AD5.dll	Get hash	malicious	Unknown	Browse	149.248.58.85
	rad59AD5.dll	Get hash	malicious	Unknown	Browse	149.248.58.85
	http://jlolaw.com	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	137.220.56.63
	ti.co.exe	Get hash	malicious	I2PRAT	Browse	216.128.184.123
	lolz.exe	Get hash	malicious	Xmrig	Browse	192.248.189.11

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

/dev/shm/q9FiNT

Download File

Process:	/tmp/QDucAhFhA9.elf
File Type:	data
Category:	dropped
Size (bytes):	32
Entropy (8bit):	0.3997900666170139
Encrypted:	false
SSDEEP:	3:kl1l:s
MD5:	637949C0C07A5E23745A7A5786AA43EC
SHA1:	31BBAAEE02CB197B915B67F90A53A479ED10DCC5
SHA-256:	9F1D358D5A7999AC6DD9C8B3A727620DAEFE11E7D79834D499233398BE2BB968
SHA-512:	2994278E49DEB6A19D062778C90AE0B14D86E4F058F877E8B87CCCF8E76DD9F3ECB72FCA1B8D7486FD887649819D9188A4037DB163004619B1E3C2C96621ABD5
Malicious:	false
Reputation:	low
Preview:	................................

/memfd:snapd-env-generator (deleted)

Download File

Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File Type:	ASCII text
Category:	dropped
Size (bytes):	76
Entropy (8bit):	3.7627880354948586
Encrypted:	false
SSDEEP:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
MD5:	D86A1F5765F37989EB0EC3837AD13ECC
SHA1:	D749672A734D9DEAFD61DCA501C6929EC431B83E
SHA-256:	85889AB8222C947C58BE565723AE603CC1A0BD2153B6B11E156826A21E6CCD45
SHA-512:	338C4B776FDCC2D05E869AE1F9DB64E6E7ECC4C621AB45E51DD07C73306BACBAD7882BE8D3ACF472CAEB30D4E5367F8793D3E006694184A68F74AC943A4B7C07
Malicious:	false
Reputation:	high, very likely benign file
Preview:	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin.

/usr/lib/systemd/system/ssl-key.service

Download File

Process:	/tmp/QDucAhFhA9.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	147
Entropy (8bit):	4.768033370826599
Encrypted:	false
SSDEEP:	3:zMZa77Gv+2AMzdK+NjJNtXKLwt5wuPXEZs1v2rSkQmWA1+DRvn:z8Iz2AMzdK+LjH5bJlkLQmWA4Rv
MD5:	84F8846E95DB3AEF2A99442203553BFD
SHA1:	F2CCED0FEE0E49E2CC35B1707E945B1114D65A01
SHA-256:	E7547BC29AFDD231E13CFDCD8C3FE10716AC1EDF7C11288E635AC671396A6FE2
SHA-512:	03E2E21068A892847C9BF8121C1D91CF1F2F4093F8DA341C7DE3A4639352EA90CDF27F4A2F5A872A466E41A1BDA38EAC6D9A536EB0D90190338F3C5925DFD3A8
Malicious:	false
Reputation:	low
Preview:	[Unit].Description=ssl-key..[Service].ExecStart=/bin/ssl-key.Restart=on-abort.RestartSec=2.KillSignal=SIGINT..[Install].WantedBy=multi-user.target.

File type:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=3e04bdf21e1410359ef0bd0d3bbee2447e79fb7c, stripped
Entropy (8bit):	5.9172323500469055
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 49.77% ELF Executable and Linkable format (generic) (4004/1) 49.46% Lumena CEL bitmap (63/63) 0.78%
File name:	QDucAhFhA9.elf
File size:	69'488 bytes
MD5:	f35dc2d049000545febf88fe7df3ad4f
SHA1:	e283c34b76aeec35081fb8e7a3eb623955048c5f
SHA256:	c308a09ef991bc198f4501964ac545c37fdd977940eb98afd955ce715774c597
SHA512:	25fb977b8b84be534952577f1ebce95b32bbab7d49239aa7e808ddb070a7e1bfe153b3e223a54851e084c887a45927517a4c7992d5f169f9fd2a48c1ef805ba4
SSDEEP:	768:CqCl1U6zVbI8g3JVNYrWMCa6cOycS48gtdzIAQaxhO7t1f06UKU7CQnQ/+M:CqCHUOhg37K1Ca6cO0WfQ0haUv7VS+M
TLSH:	4F632A03B7D0C8B9C0C4CA7486DFE1569E7878D48327117F394ABB0D3965AA56F1EA23
File Content Preview:	.ELF..............>.......@.....@.......0...........@.8...@.............@.......@.@.....@.@.....................................8.......8.@.....8.@...............................................@.......@....................... .............8.......8.`....

ELF header
Class:	ELF64
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Advanced Micro Devices X86-64
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x401c90
Flags:	0x0
ELF Header Size:	64
Program Header Offset:	64
Program Header Size:	56
Number of Program Headers:	9
Section Header Offset:	67632
Section Header Size:	64
Number of Section Headers:	29
Header String Table Index:	28

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Link	Info	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0	0	0
.interp	PROGBITS	0x400238	0x238	0x1c	0x0	0x2	A	0	0	1
.note.ABI-tag	NOTE	0x400254	0x254	0x20	0x0	0x2	A	0	0	4
.note.gnu.build-id	NOTE	0x400274	0x274	0x24	0x0	0x2	A	0	0	4
.gnu.hash	GNU_HASH	0x400298	0x298	0x28c	0x0	0x2	A	5	0	8
.dynsym	DYNSYM	0x400528	0x528	0x798	0x18	0x2	A	6	1	8
.dynstr	STRTAB	0x400cc0	0xcc0	0x32c	0x0	0x2	A	0	0	1
.gnu.version	VERSYM	0x400fec	0xfec	0xa2	0x2	0x2	A	5	0	2
.gnu.version_r	VERNEED	0x401090	0x1090	0xd0	0x0	0x2	A	6	5	8
.rela.dyn	RELA	0x401160	0x1160	0x720	0x18	0x2	A	5	0	8
.rela.plt	RELA	0x401880	0x1880	0x18	0x18	0x42	AI	5	24	8
.init	PROGBITS	0x401898	0x1898	0x1a	0x0	0x6	AX	0	0	4
.plt	PROGBITS	0x4018c0	0x18c0	0x20	0x10	0x6	AX	0	0	16
.plt.got	PROGBITS	0x4018e0	0x18e0	0x260	0x0	0x6	AX	0	0	8
.text	PROGBITS	0x401b40	0x1b40	0x96f0	0x0	0x6	AX	0	0	16
.fini	PROGBITS	0x40b230	0xb230	0x9	0x0	0x6	AX	0	0	4
.rodata	PROGBITS	0x40b240	0xb240	0xcb3	0x0	0x2	A	0	0	32
.eh_frame_hdr	PROGBITS	0x40bef4	0xbef4	0x7ac	0x0	0x2	A	0	0	4
.eh_frame	PROGBITS	0x40c6a0	0xc6a0	0x294c	0x0	0x2	A	0	0	8
.gcc_except_table	PROGBITS	0x40efec	0xefec	0xb6	0x0	0x2	A	0	0	1
.init_array	INIT_ARRAY	0x60fb38	0xfb38	0x8	0x0	0x3	WA	0	0	8
.fini_array	FINI_ARRAY	0x60fb40	0xfb40	0x8	0x0	0x3	WA	0	0	8
.jcr	PROGBITS	0x60fb48	0xfb48	0x8	0x0	0x3	WA	0	0	8
.dynamic	DYNAMIC	0x60fb50	0xfb50	0x230	0x10	0x3	WA	6	0	8
.got	PROGBITS	0x60fd80	0xfd80	0x280	0x8	0x3	WA	0	0	8
.data	PROGBITS	0x610000	0x10000	0x6f0	0x0	0x3	WA	0	0	32
.bss	NOBITS	0x6106f0	0x106f0	0x10	0x0	0x3	WA	0	0	8
.comment	PROGBITS	0x0	0x106f0	0x35	0x1	0x30	MS	0	0	1
.shstrtab	STRTAB	0x0	0x10725	0x105	0x0	0x0		0	0	1

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Prog Interpreter	Section Mappings
PHDR	0x40	0x400040	0x400040	0x1f8	0x1f8	1.8876	0x5	R E	0x8
INTERP	0x238	0x400238	0x400238	0x1c	0x1c	3.9408	0x4	R	0x1	/lib64/ld-linux-x86-64.so.2	.interp
LOAD	0x0	0x400000	0x400000	0xf0a2	0xf0a2	6.2010	0x5	R E	0x200000		.interp .note.ABI-tag .note.gnu.build-id .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt .plt.got .text .fini .rodata .eh_frame_hdr .eh_frame .gcc_except_table
LOAD	0xfb38	0x60fb38	0x60fb38	0xbb8	0xbc8	4.1866	0x6	RW	0x200000		.init_array .fini_array .jcr .dynamic .got .data .bss
DYNAMIC	0xfb50	0x60fb50	0x60fb50	0x230	0x230	1.5515	0x6	RW	0x8		.dynamic
NOTE	0x254	0x400254	0x400254	0x44	0x44	3.3931	0x4	R	0x4		.note.ABI-tag .note.gnu.build-id
GNU_EH_FRAME	0xbef4	0x40bef4	0x40bef4	0x7ac	0x7ac	5.1292	0x4	R	0x4		.eh_frame_hdr
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x10
GNU_RELRO	0xfb38	0x60fb38	0x60fb38	0x4c8	0x4c8	0.8904	0x4	R	0x1		.init_array .fini_array .jcr .dynamic .got

Type	Meta	Value	Tag
DT_NEEDED	sharedlib	libdl.so.2	0x1
DT_NEEDED	sharedlib	libpthread.so.0	0x1
DT_NEEDED	sharedlib	libstdc++.so.6	0x1
DT_NEEDED	sharedlib	libgcc_s.so.1	0x1
DT_NEEDED	sharedlib	libc.so.6	0x1
DT_INIT	value	0x401898	0xc
DT_FINI	value	0x40b230	0xd
DT_INIT_ARRAY	value	0x60fb38	0x19
DT_INIT_ARRAYSZ	bytes	8	0x1b
DT_FINI_ARRAY	value	0x60fb40	0x1a
DT_FINI_ARRAYSZ	bytes	8	0x1c
DT_GNU_HASH	value	0x400298	0x6ffffef5
DT_STRTAB	value	0x400cc0	0x5
DT_SYMTAB	value	0x400528	0x6
DT_STRSZ	bytes	812	0xa
DT_SYMENT	bytes	24	0xb
DT_DEBUG	value	0x0	0x15
DT_PLTGOT	value	0x60fd80	0x3
DT_PLTRELSZ	bytes	24	0x2
DT_PLTREL	pltrel	DT_RELA	0x14
DT_JMPREL	value	0x401880	0x17
DT_RELA	value	0x401160	0x7
DT_RELASZ	bytes	1824	0x8
DT_RELAENT	bytes	24	0x9
DT_BIND_NOW	value	0x0	0x18
DT_FLAGS_1	value	0x1	0x6ffffffb
DT_VERNEED	value	0x401090	0x6ffffffe
DT_VERNEEDNUM	value	5	0x6fffffff
DT_VERSYM	value	0x400fec	0x6ffffff0
DT_NULL	value	0x0	0x0

Name	Version Info Name	Version Info File Name	Section Name	Value	Symbol Type	Symbol Bind	Symbol Visibility	Ndx
			.dynsym	0x0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
_ITM_deregisterTMCloneTable			.dynsym	0x0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
_ITM_registerTMCloneTable			.dynsym	0x0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
_Jv_RegisterClasses			.dynsym	0x0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
_Unwind_Resume	GCC_3.0	libgcc_s.so.1	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZdaPv	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_ZdlPv	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_Znam	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
_Znwm	GLIBCXX_3.4	libstdc++.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__gmon_start__			.dynsym	0x0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
__gxx_personality_v0	CXXABI_1.3	libstdc++.so.6	.dynsym	0x4018d0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__libc_start_main	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__memcpy_chk	GLIBC_2.3.4	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__realpath_chk	GLIBC_2.4	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__snprintf_chk	GLIBC_2.3.4	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__sprintf_chk	GLIBC_2.3.4	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__stack_chk_fail	GLIBC_2.4	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__strcat_chk	GLIBC_2.3.4	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__strcpy_chk	GLIBC_2.3.4	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
__xstat64	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
access	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
atoi	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
close	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
connect	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
dlopen	GLIBC_2.2.5	libdl.so.2	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
dlsym	GLIBC_2.2.5	libdl.so.2	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
exit	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fclose	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
feof	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fgets	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fopen	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fork	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fread	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
free	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
fwrite	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
getenv	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
gethostbyname	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
gethostname	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
getpwuid	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
getuid	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
inet_addr	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
inet_ntoa	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
ioctl	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
malloc	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
memcmp	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
mkdir	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
mmap	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
munmap	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
open64	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
pclose	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
poll	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
popen	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
rand	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
read	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
realloc	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
recv	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
recvfrom	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
remove	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
rename	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
sem_close	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
sem_open	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
sem_unlink	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
send	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
sendto	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
setsid	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
setsockopt	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
shutdown	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
signal	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
sleep	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
socket	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
srand	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
strcat	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
strchr	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
strcmp	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
strcpy	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
strstr	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
system	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
time	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
times	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
unlink	GLIBC_2.2.5	libc.so.6	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF
write	GLIBC_2.2.5	libpthread.so.0	.dynsym	0x0	FUNC	<unknown>	DEFAULT	SHN_UNDEF

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 24, 2025 16:40:55.248323917 CET	50084	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:40:55.253365993 CET	3128	50084	10.242.174.74	192.168.2.13
Jan 24, 2025 16:40:55.253424883 CET	50084	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:40:55.254533052 CET	50084	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:40:55.259344101 CET	3128	50084	10.242.174.74	192.168.2.13
Jan 24, 2025 16:41:16.628112078 CET	3128	50084	10.242.174.74	192.168.2.13
Jan 24, 2025 16:41:16.628595114 CET	50084	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:41:16.629287004 CET	50086	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:41:16.633511066 CET	3128	50084	10.242.174.74	192.168.2.13
Jan 24, 2025 16:41:16.634131908 CET	3128	50086	10.242.174.74	192.168.2.13
Jan 24, 2025 16:41:16.634222984 CET	50086	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:41:16.634751081 CET	50086	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:41:16.639539003 CET	3128	50086	10.242.174.74	192.168.2.13
Jan 24, 2025 16:41:38.054188013 CET	3128	50086	10.242.174.74	192.168.2.13
Jan 24, 2025 16:41:38.054424047 CET	50086	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:41:38.055083990 CET	59724	443	192.168.2.13	95.179.223.245
Jan 24, 2025 16:41:38.055182934 CET	443	59724	95.179.223.245	192.168.2.13
Jan 24, 2025 16:41:38.055264950 CET	59724	443	192.168.2.13	95.179.223.245
Jan 24, 2025 16:41:38.059354067 CET	3128	50086	10.242.174.74	192.168.2.13
Jan 24, 2025 16:41:38.126249075 CET	59724	443	192.168.2.13	95.179.223.245
Jan 24, 2025 16:41:38.126331091 CET	443	59724	95.179.223.245	192.168.2.13
Jan 24, 2025 16:41:38.126398087 CET	443	59724	95.179.223.245	192.168.2.13
Jan 24, 2025 16:41:39.423604965 CET	50090	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:41:39.428993940 CET	3128	50090	10.242.174.74	192.168.2.13
Jan 24, 2025 16:41:39.429081917 CET	50090	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:41:39.429457903 CET	50090	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:41:39.434526920 CET	3128	50090	10.242.174.74	192.168.2.13
Jan 24, 2025 16:42:00.802484989 CET	3128	50090	10.242.174.74	192.168.2.13
Jan 24, 2025 16:42:00.802777052 CET	50090	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:42:00.803406954 CET	50092	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:42:00.808571100 CET	3128	50090	10.242.174.74	192.168.2.13
Jan 24, 2025 16:42:00.809165955 CET	3128	50092	10.242.174.74	192.168.2.13
Jan 24, 2025 16:42:00.809253931 CET	50092	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:42:00.809600115 CET	50092	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:42:00.814461946 CET	3128	50092	10.242.174.74	192.168.2.13
Jan 24, 2025 16:42:22.239166021 CET	3128	50092	10.242.174.74	192.168.2.13
Jan 24, 2025 16:42:22.239367008 CET	50092	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:42:22.240130901 CET	59730	443	192.168.2.13	95.179.223.245
Jan 24, 2025 16:42:22.240225077 CET	443	59730	95.179.223.245	192.168.2.13
Jan 24, 2025 16:42:22.240402937 CET	59730	443	192.168.2.13	95.179.223.245
Jan 24, 2025 16:42:22.246185064 CET	3128	50092	10.242.174.74	192.168.2.13
Jan 24, 2025 16:42:22.276268005 CET	59730	443	192.168.2.13	95.179.223.245
Jan 24, 2025 16:42:22.276294947 CET	443	59730	95.179.223.245	192.168.2.13
Jan 24, 2025 16:42:22.276388884 CET	443	59730	95.179.223.245	192.168.2.13
Jan 24, 2025 16:42:23.512836933 CET	50096	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:42:23.520698071 CET	3128	50096	10.242.174.74	192.168.2.13
Jan 24, 2025 16:42:23.520786047 CET	50096	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:42:23.521178961 CET	50096	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:42:23.528882027 CET	3128	50096	10.242.174.74	192.168.2.13
Jan 24, 2025 16:42:44.893918991 CET	3128	50096	10.242.174.74	192.168.2.13
Jan 24, 2025 16:42:44.894066095 CET	50096	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:42:44.894066095 CET	50096	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:42:44.894570112 CET	50098	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:42:44.899158955 CET	3128	50096	10.242.174.74	192.168.2.13
Jan 24, 2025 16:42:44.899452925 CET	3128	50098	10.242.174.74	192.168.2.13
Jan 24, 2025 16:42:44.899514914 CET	50098	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:42:44.899820089 CET	50098	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:42:44.904620886 CET	3128	50098	10.242.174.74	192.168.2.13
Jan 24, 2025 16:43:06.270699978 CET	3128	50098	10.242.174.74	192.168.2.13
Jan 24, 2025 16:43:06.270880938 CET	50098	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:43:06.271548986 CET	59736	443	192.168.2.13	95.179.223.245
Jan 24, 2025 16:43:06.271579027 CET	443	59736	95.179.223.245	192.168.2.13
Jan 24, 2025 16:43:06.271645069 CET	59736	443	192.168.2.13	95.179.223.245
Jan 24, 2025 16:43:06.275691032 CET	3128	50098	10.242.174.74	192.168.2.13
Jan 24, 2025 16:43:06.297411919 CET	59736	443	192.168.2.13	95.179.223.245
Jan 24, 2025 16:43:06.297441959 CET	443	59736	95.179.223.245	192.168.2.13
Jan 24, 2025 16:43:06.297560930 CET	443	59736	95.179.223.245	192.168.2.13
Jan 24, 2025 16:43:07.562648058 CET	50102	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:43:07.571299076 CET	3128	50102	10.242.174.74	192.168.2.13
Jan 24, 2025 16:43:07.571389914 CET	50102	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:43:07.571877003 CET	50102	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:43:07.576761961 CET	3128	50102	10.242.174.74	192.168.2.13
Jan 24, 2025 16:43:28.943111897 CET	3128	50102	10.242.174.74	192.168.2.13
Jan 24, 2025 16:43:28.943552017 CET	50102	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:43:28.947962999 CET	50104	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:43:28.948503017 CET	3128	50102	10.242.174.74	192.168.2.13
Jan 24, 2025 16:43:28.952877045 CET	3128	50104	10.242.174.74	192.168.2.13
Jan 24, 2025 16:43:28.952933073 CET	50104	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:43:28.959321022 CET	50104	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:43:28.964199066 CET	3128	50104	10.242.174.74	192.168.2.13
Jan 24, 2025 16:43:50.336117983 CET	3128	50104	10.242.174.74	192.168.2.13
Jan 24, 2025 16:43:50.336282015 CET	50104	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:43:50.336903095 CET	59742	443	192.168.2.13	95.179.223.245
Jan 24, 2025 16:43:50.336937904 CET	443	59742	95.179.223.245	192.168.2.13
Jan 24, 2025 16:43:50.336981058 CET	59742	443	192.168.2.13	95.179.223.245
Jan 24, 2025 16:43:50.341116905 CET	3128	50104	10.242.174.74	192.168.2.13
Jan 24, 2025 16:43:50.384141922 CET	59742	443	192.168.2.13	95.179.223.245
Jan 24, 2025 16:43:50.384161949 CET	443	59742	95.179.223.245	192.168.2.13
Jan 24, 2025 16:43:50.384233952 CET	443	59742	95.179.223.245	192.168.2.13
Jan 24, 2025 16:43:51.899048090 CET	50108	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:43:51.904486895 CET	3128	50108	10.242.174.74	192.168.2.13
Jan 24, 2025 16:43:51.904541969 CET	50108	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:43:51.906996965 CET	50108	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:43:51.912612915 CET	3128	50108	10.242.174.74	192.168.2.13
Jan 24, 2025 16:44:13.504590988 CET	3128	50108	10.242.174.74	192.168.2.13
Jan 24, 2025 16:44:13.504753113 CET	50108	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:44:13.506217957 CET	50110	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:44:13.509494066 CET	3128	50108	10.242.174.74	192.168.2.13
Jan 24, 2025 16:44:13.511053085 CET	3128	50110	10.242.174.74	192.168.2.13
Jan 24, 2025 16:44:13.511099100 CET	50110	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:44:13.511962891 CET	50110	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:44:13.516741037 CET	3128	50110	10.242.174.74	192.168.2.13
Jan 24, 2025 16:44:34.915396929 CET	3128	50110	10.242.174.74	192.168.2.13
Jan 24, 2025 16:44:34.915555954 CET	50110	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:44:34.916043043 CET	59748	443	192.168.2.13	95.179.223.245
Jan 24, 2025 16:44:34.916079044 CET	443	59748	95.179.223.245	192.168.2.13
Jan 24, 2025 16:44:34.916122913 CET	59748	443	192.168.2.13	95.179.223.245
Jan 24, 2025 16:44:34.920466900 CET	3128	50110	10.242.174.74	192.168.2.13
Jan 24, 2025 16:44:34.943896055 CET	59748	443	192.168.2.13	95.179.223.245
Jan 24, 2025 16:44:34.943913937 CET	443	59748	95.179.223.245	192.168.2.13
Jan 24, 2025 16:44:34.943974018 CET	443	59748	95.179.223.245	192.168.2.13
Jan 24, 2025 16:44:36.212800026 CET	50114	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:44:36.218028069 CET	3128	50114	10.242.174.74	192.168.2.13
Jan 24, 2025 16:44:36.218087912 CET	50114	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:44:36.218493938 CET	50114	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:44:36.223373890 CET	3128	50114	10.242.174.74	192.168.2.13
Jan 24, 2025 16:44:57.603097916 CET	3128	50114	10.242.174.74	192.168.2.13
Jan 24, 2025 16:44:57.603319883 CET	50114	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:44:57.606688976 CET	50116	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:44:57.608288050 CET	3128	50114	10.242.174.74	192.168.2.13
Jan 24, 2025 16:44:57.611541033 CET	3128	50116	10.242.174.74	192.168.2.13
Jan 24, 2025 16:44:57.611651897 CET	50116	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:44:57.612579107 CET	50116	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:44:57.617300987 CET	3128	50116	10.242.174.74	192.168.2.13
Jan 24, 2025 16:45:19.006062031 CET	3128	50116	10.242.174.74	192.168.2.13
Jan 24, 2025 16:45:19.006267071 CET	50116	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:45:19.006777048 CET	59754	443	192.168.2.13	95.179.223.245
Jan 24, 2025 16:45:19.006891966 CET	443	59754	95.179.223.245	192.168.2.13
Jan 24, 2025 16:45:19.006966114 CET	59754	443	192.168.2.13	95.179.223.245
Jan 24, 2025 16:45:19.011482954 CET	3128	50116	10.242.174.74	192.168.2.13
Jan 24, 2025 16:45:19.033123970 CET	59754	443	192.168.2.13	95.179.223.245
Jan 24, 2025 16:45:19.033143044 CET	443	59754	95.179.223.245	192.168.2.13
Jan 24, 2025 16:45:19.033186913 CET	443	59754	95.179.223.245	192.168.2.13
Jan 24, 2025 16:45:20.277235031 CET	50120	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:45:20.284634113 CET	3128	50120	10.242.174.74	192.168.2.13
Jan 24, 2025 16:45:20.284706116 CET	50120	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:45:20.285152912 CET	50120	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:45:20.289941072 CET	3128	50120	10.242.174.74	192.168.2.13
Jan 24, 2025 16:45:41.729353905 CET	3128	50120	10.242.174.74	192.168.2.13
Jan 24, 2025 16:45:41.729747057 CET	50120	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:45:41.730639935 CET	50122	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:45:41.736372948 CET	3128	50120	10.242.174.74	192.168.2.13
Jan 24, 2025 16:45:41.737103939 CET	3128	50122	10.242.174.74	192.168.2.13
Jan 24, 2025 16:45:41.737207890 CET	50122	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:45:41.737932920 CET	50122	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:45:41.745259047 CET	3128	50122	10.242.174.74	192.168.2.13
Jan 24, 2025 16:46:03.119945049 CET	3128	50122	10.242.174.74	192.168.2.13
Jan 24, 2025 16:46:03.120173931 CET	50122	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:46:03.120908976 CET	59760	443	192.168.2.13	95.179.223.245
Jan 24, 2025 16:46:03.120956898 CET	443	59760	95.179.223.245	192.168.2.13
Jan 24, 2025 16:46:03.121032953 CET	59760	443	192.168.2.13	95.179.223.245
Jan 24, 2025 16:46:03.125021935 CET	3128	50122	10.242.174.74	192.168.2.13
Jan 24, 2025 16:46:03.167469978 CET	59760	443	192.168.2.13	95.179.223.245
Jan 24, 2025 16:46:03.167493105 CET	443	59760	95.179.223.245	192.168.2.13
Jan 24, 2025 16:46:03.220202923 CET	59760	443	192.168.2.13	95.179.223.245
Jan 24, 2025 16:46:03.220227957 CET	443	59760	95.179.223.245	192.168.2.13
Jan 24, 2025 16:46:46.163830996 CET	443	59760	95.179.223.245	192.168.2.13
Jan 24, 2025 16:46:46.166059971 CET	59760	443	192.168.2.13	95.179.223.245
Jan 24, 2025 16:46:48.174217939 CET	59760	443	192.168.2.13	95.179.223.245
Jan 24, 2025 16:46:48.174252987 CET	443	59760	95.179.223.245	192.168.2.13
Jan 24, 2025 16:46:48.174808979 CET	50126	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:46:48.179842949 CET	3128	50126	10.242.174.74	192.168.2.13
Jan 24, 2025 16:46:48.179919004 CET	50126	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:46:48.180480003 CET	50126	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:46:48.185347080 CET	3128	50126	10.242.174.74	192.168.2.13
Jan 24, 2025 16:47:09.572217941 CET	3128	50126	10.242.174.74	192.168.2.13
Jan 24, 2025 16:47:09.572458029 CET	50126	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:47:09.577615976 CET	3128	50126	10.242.174.74	192.168.2.13
Jan 24, 2025 16:47:09.581083059 CET	50128	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:47:09.585998058 CET	3128	50128	10.242.174.74	192.168.2.13
Jan 24, 2025 16:47:09.586075068 CET	50128	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:47:09.588253021 CET	50128	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:47:09.594079971 CET	3128	50128	10.242.174.74	192.168.2.13
Jan 24, 2025 16:47:30.946399927 CET	3128	50128	10.242.174.74	192.168.2.13
Jan 24, 2025 16:47:30.946688890 CET	50128	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:47:30.950336933 CET	59766	443	192.168.2.13	95.179.223.245
Jan 24, 2025 16:47:30.950397015 CET	443	59766	95.179.223.245	192.168.2.13
Jan 24, 2025 16:47:30.950455904 CET	59766	443	192.168.2.13	95.179.223.245
Jan 24, 2025 16:47:30.951596022 CET	3128	50128	10.242.174.74	192.168.2.13
Jan 24, 2025 16:47:30.993480921 CET	59766	443	192.168.2.13	95.179.223.245
Jan 24, 2025 16:47:30.993560076 CET	443	59766	95.179.223.245	192.168.2.13
Jan 24, 2025 16:47:30.993628979 CET	443	59766	95.179.223.245	192.168.2.13
Jan 24, 2025 16:47:32.274646997 CET	50132	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:47:32.283993959 CET	3128	50132	10.242.174.74	192.168.2.13
Jan 24, 2025 16:47:32.284095049 CET	50132	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:47:32.284511089 CET	50132	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:47:32.293524027 CET	3128	50132	10.242.174.74	192.168.2.13
Jan 24, 2025 16:47:53.689030886 CET	3128	50132	10.242.174.74	192.168.2.13
Jan 24, 2025 16:47:53.689398050 CET	50132	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:47:53.689774036 CET	50134	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:47:53.694346905 CET	3128	50132	10.242.174.74	192.168.2.13
Jan 24, 2025 16:47:53.694596052 CET	3128	50134	10.242.174.74	192.168.2.13
Jan 24, 2025 16:47:53.694649935 CET	50134	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:47:53.695256948 CET	50134	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:47:53.701102972 CET	3128	50134	10.242.174.74	192.168.2.13
Jan 24, 2025 16:48:15.055866003 CET	3128	50134	10.242.174.74	192.168.2.13
Jan 24, 2025 16:48:15.056101084 CET	50134	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:48:15.056755066 CET	59772	443	192.168.2.13	95.179.223.245
Jan 24, 2025 16:48:15.056767941 CET	443	59772	95.179.223.245	192.168.2.13
Jan 24, 2025 16:48:15.056822062 CET	59772	443	192.168.2.13	95.179.223.245
Jan 24, 2025 16:48:15.061069965 CET	3128	50134	10.242.174.74	192.168.2.13
Jan 24, 2025 16:48:15.093153954 CET	59772	443	192.168.2.13	95.179.223.245
Jan 24, 2025 16:48:15.093167067 CET	443	59772	95.179.223.245	192.168.2.13
Jan 24, 2025 16:48:15.093199015 CET	443	59772	95.179.223.245	192.168.2.13
Jan 24, 2025 16:48:16.513664961 CET	50138	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:48:16.519037962 CET	3128	50138	10.242.174.74	192.168.2.13
Jan 24, 2025 16:48:16.519207001 CET	50138	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:48:16.519572973 CET	50138	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:48:16.524777889 CET	3128	50138	10.242.174.74	192.168.2.13
Jan 24, 2025 16:48:37.886246920 CET	3128	50138	10.242.174.74	192.168.2.13
Jan 24, 2025 16:48:37.886461973 CET	50138	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:48:37.887352943 CET	50140	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:48:37.891398907 CET	3128	50138	10.242.174.74	192.168.2.13
Jan 24, 2025 16:48:37.894433975 CET	3128	50140	10.242.174.74	192.168.2.13
Jan 24, 2025 16:48:37.894501925 CET	50140	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:48:37.895569086 CET	50140	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:48:37.903037071 CET	3128	50140	10.242.174.74	192.168.2.13
Jan 24, 2025 16:48:59.260603905 CET	3128	50140	10.242.174.74	192.168.2.13
Jan 24, 2025 16:48:59.260847092 CET	50140	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:48:59.262170076 CET	59778	443	192.168.2.13	95.179.223.245
Jan 24, 2025 16:48:59.262192965 CET	443	59778	95.179.223.245	192.168.2.13
Jan 24, 2025 16:48:59.262264967 CET	59778	443	192.168.2.13	95.179.223.245
Jan 24, 2025 16:48:59.265712976 CET	3128	50140	10.242.174.74	192.168.2.13
Jan 24, 2025 16:48:59.307538033 CET	59778	443	192.168.2.13	95.179.223.245
Jan 24, 2025 16:48:59.307560921 CET	443	59778	95.179.223.245	192.168.2.13
Jan 24, 2025 16:48:59.307719946 CET	443	59778	95.179.223.245	192.168.2.13
Jan 24, 2025 16:49:01.159353018 CET	50144	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:49:01.166342974 CET	3128	50144	10.242.174.74	192.168.2.13
Jan 24, 2025 16:49:01.166435957 CET	50144	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:49:01.168773890 CET	50144	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:49:01.173890114 CET	3128	50144	10.242.174.74	192.168.2.13
Jan 24, 2025 16:49:22.542049885 CET	3128	50144	10.242.174.74	192.168.2.13
Jan 24, 2025 16:49:22.542557001 CET	50144	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:49:22.543489933 CET	50146	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:49:22.547605991 CET	3128	50144	10.242.174.74	192.168.2.13
Jan 24, 2025 16:49:22.548561096 CET	3128	50146	10.242.174.74	192.168.2.13
Jan 24, 2025 16:49:22.548650980 CET	50146	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:49:22.549211979 CET	50146	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:49:22.553976059 CET	3128	50146	10.242.174.74	192.168.2.13
Jan 24, 2025 16:49:43.917047977 CET	3128	50146	10.242.174.74	192.168.2.13
Jan 24, 2025 16:49:43.917395115 CET	50146	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:49:43.918239117 CET	59784	443	192.168.2.13	95.179.223.245
Jan 24, 2025 16:49:43.918299913 CET	443	59784	95.179.223.245	192.168.2.13
Jan 24, 2025 16:49:43.918376923 CET	59784	443	192.168.2.13	95.179.223.245
Jan 24, 2025 16:49:43.922230005 CET	3128	50146	10.242.174.74	192.168.2.13
Jan 24, 2025 16:49:43.952965021 CET	59784	443	192.168.2.13	95.179.223.245
Jan 24, 2025 16:49:43.953006983 CET	443	59784	95.179.223.245	192.168.2.13
Jan 24, 2025 16:49:43.953073025 CET	443	59784	95.179.223.245	192.168.2.13
Jan 24, 2025 16:49:45.201165915 CET	50150	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:49:45.207925081 CET	3128	50150	10.242.174.74	192.168.2.13
Jan 24, 2025 16:49:45.208180904 CET	50150	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:49:45.208724022 CET	50150	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:49:45.213516951 CET	3128	50150	10.242.174.74	192.168.2.13
Jan 24, 2025 16:50:06.573745966 CET	3128	50150	10.242.174.74	192.168.2.13
Jan 24, 2025 16:50:06.574167967 CET	50150	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:50:06.575301886 CET	50152	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:50:06.579400063 CET	3128	50150	10.242.174.74	192.168.2.13
Jan 24, 2025 16:50:06.580693007 CET	3128	50152	10.242.174.74	192.168.2.13
Jan 24, 2025 16:50:06.580764055 CET	50152	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:50:06.581598043 CET	50152	3128	192.168.2.13	10.242.174.74
Jan 24, 2025 16:50:06.587372065 CET	3128	50152	10.242.174.74	192.168.2.13

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 24, 2025 16:43:39.484874964 CET	44594	53	192.168.2.13	8.8.8.8
Jan 24, 2025 16:43:39.484965086 CET	42515	53	192.168.2.13	8.8.8.8
Jan 24, 2025 16:43:39.491394997 CET	53	42515	8.8.8.8	192.168.2.13
Jan 24, 2025 16:43:39.492399931 CET	53	44594	8.8.8.8	192.168.2.13

Start time (UTC):	15:40:54
Start date (UTC):	24/01/2025
Path:	/tmp/QDucAhFhA9.elf
Arguments:	/tmp/QDucAhFhA9.elf
File size:	69488 bytes
MD5 hash:	f35dc2d049000545febf88fe7df3ad4f

Start time (UTC):	15:41:38
Start date (UTC):	24/01/2025
Path:	/tmp/QDucAhFhA9.elf
Arguments:	-
File size:	69488 bytes
MD5 hash:	f35dc2d049000545febf88fe7df3ad4f

Start time (UTC):	15:42:22
Start date (UTC):	24/01/2025
Path:	/tmp/QDucAhFhA9.elf
Arguments:	-
File size:	69488 bytes
MD5 hash:	f35dc2d049000545febf88fe7df3ad4f

Start time (UTC):	15:42:23
Start date (UTC):	24/01/2025
Path:	/tmp/QDucAhFhA9.elf
Arguments:	-
File size:	69488 bytes
MD5 hash:	f35dc2d049000545febf88fe7df3ad4f

Start time (UTC):	15:43:06
Start date (UTC):	24/01/2025
Path:	/tmp/QDucAhFhA9.elf
Arguments:	-
File size:	69488 bytes
MD5 hash:	f35dc2d049000545febf88fe7df3ad4f

Start time (UTC):	15:43:07
Start date (UTC):	24/01/2025
Path:	/usr/bin/grep
Arguments:	grep network.proxy.ssl
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Start time (UTC):	15:43:51
Start date (UTC):	24/01/2025
Path:	/tmp/QDucAhFhA9.elf
Arguments:	-
File size:	69488 bytes
MD5 hash:	f35dc2d049000545febf88fe7df3ad4f

Start time (UTC):	15:44:35
Start date (UTC):	24/01/2025
Path:	/tmp/QDucAhFhA9.elf
Arguments:	-
File size:	69488 bytes
MD5 hash:	f35dc2d049000545febf88fe7df3ad4f

Start time (UTC):	15:45:19
Start date (UTC):	24/01/2025
Path:	/tmp/QDucAhFhA9.elf
Arguments:	-
File size:	69488 bytes
MD5 hash:	f35dc2d049000545febf88fe7df3ad4f

Start time (UTC):	15:46:46
Start date (UTC):	24/01/2025
Path:	/tmp/QDucAhFhA9.elf
Arguments:	-
File size:	69488 bytes
MD5 hash:	f35dc2d049000545febf88fe7df3ad4f

Start time (UTC):	15:46:47
Start date (UTC):	24/01/2025
Path:	/tmp/QDucAhFhA9.elf
Arguments:	-
File size:	69488 bytes
MD5 hash:	f35dc2d049000545febf88fe7df3ad4f

Start time (UTC):	15:47:31
Start date (UTC):	24/01/2025
Path:	/tmp/QDucAhFhA9.elf
Arguments:	-
File size:	69488 bytes
MD5 hash:	f35dc2d049000545febf88fe7df3ad4f

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report QDucAhFhA9.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/dev/shm/q9FiNT

/memfd:snapd-env-generator (deleted)

/usr/lib/systemd/system/ssl-key.service

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Dynamic Tags

Symbols

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Packets

System Behavior

Analysis Process: QDucAhFhA9.elf PID: 5418, Parent PID: 5340

General

Chronological Activities

Analysis Process: QDucAhFhA9.elf PID: 5419, Parent PID: 5418

General

Chronological Activities

Analysis Process: sh PID: 5419, Parent PID: 5418

General

Chronological Activities

Analysis Process: sh PID: 5420, Parent PID: 5419

General

Chronological Activities

Analysis Process: systemctl PID: 5420, Parent PID: 5419

General

Chronological Activities

Analysis Process: QDucAhFhA9.elf PID: 5424, Parent PID: 5418

Linux Analysis Report
QDucAhFhA9.elf

Start time (UTC):	15:48:15
Start date (UTC):	24/01/2025
Path:	/tmp/QDucAhFhA9.elf
Arguments:	-
File size:	69488 bytes
MD5 hash:	f35dc2d049000545febf88fe7df3ad4f

Start time (UTC):	15:48:16
Start date (UTC):	24/01/2025
Path:	/tmp/QDucAhFhA9.elf
Arguments:	-
File size:	69488 bytes
MD5 hash:	f35dc2d049000545febf88fe7df3ad4f

Start time (UTC):	15:48:59
Start date (UTC):	24/01/2025
Path:	/tmp/QDucAhFhA9.elf
Arguments:	-
File size:	69488 bytes
MD5 hash:	f35dc2d049000545febf88fe7df3ad4f

Start time (UTC):	15:49:00
Start date (UTC):	24/01/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	15:49:44
Start date (UTC):	24/01/2025
Path:	/tmp/QDucAhFhA9.elf
Arguments:	-
File size:	69488 bytes
MD5 hash:	f35dc2d049000545febf88fe7df3ad4f

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation, Service: Service Creation, Service: Service Modification
Platforms:	Linux
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre