Linux Analysis Report s54l0GKMh9

Overview

General Information

Sample Name:	s54l0GKMh9
Analysis ID:	452440
MD5:	1a11fb2e59573ff9c8461a5998496ec4
SHA1:	0ac1b218948da361997a3dbf43859cedf732bc88
SHA256:	874f3a399fb4a6a3c99f86f6417c388b254e206f5bef96fb3b33bc38cac020dd
Tags:	32elfmipsmirai
Infos:

Detection

Mirai

Score:	80
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Mirai

Opens /sys/class/net/* files useful for querying network interface information

Sample is packed with UPX

Sample tries to kill many processes (SIGKILL)

Uses known network protocols on non-standard ports

Creates hidden files and/or directories

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Reads system information from the proc file system

Sample contains only a LOAD segment without any section mappings

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: s54l0GKMh9	Virustotal: Detection: 34%			Perma Link
Source: s54l0GKMh9	ReversingLabs: Detection: 39%

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.97.173.69: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 109.239.134.147: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.117.198.127: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 78.94.73.210: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 96.87.80.167: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 109.193.54.146: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.57.194.76: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.175.40.225: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.65.146.78: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.128.125.240: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.7.72.164: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.77.64.1: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.0.88.236: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 50.220.200.185: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 196.203.188.37:23 -> 192.168.2.20:56342
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.100.1.71: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 151.81.134.100: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.126.109: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 196.203.188.37:23 -> 192.168.2.20:56352
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 68.187.254.176: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 196.203.188.37:23 -> 192.168.2.20:56364
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.252.195.84: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.139.128.1: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 156.226.116.47: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 193.83.36.251: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.203.64.67: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 46.93.108.4: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.245.230.11: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 46.223.136.125: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.160.159.108: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 78.42.90.43: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 210.131.34.15: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 112.120.244.105: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 80.118.92.214: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.54.124.128: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 62.94.223.244: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 83.68.20.128: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.228.136.2: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.192.74.112: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 178.159.243.115: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.211.32.232: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.6.100.149: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 185.251.46.189: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 153.153.224.90: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.110.92.134: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 37.209.118.120: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 95.90.167.134: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 133.242.50.126: -> 192.168.2.20:
Source: Traffic	Snort IDS: 404 ICMP Destination Unreachable Protocol Unreachable 81.191.234.151: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 168.206.86.57: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 203.66.251.1: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.161.101: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 83.209.73.145: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.201.149.82: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.35.117.39: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 146.212.169.207: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.64.108.192: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 164.68.232.22: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.193.0.80: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 108.167.73.59: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 218.60.102.156: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 185.54.120.139: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.198.147.179: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.72.75.59: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 2.202.116.68: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.168.204.122: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56104
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.94.5.25: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 4.59.184.10: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.234.184.23: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.56.30.148: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.125.52.126:23 -> 192.168.2.20:38326
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.125.52.126:23 -> 192.168.2.20:38326
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 115.255.239.37: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 81.221.214.38: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 80.157.128.213: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56114
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 37.201.220.22: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.159.227.35: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 45.201.245.80: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 210.211.102.99: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 83.163.43.140: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 82.58.53.174: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 85.199.98.128: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.2.108.14: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 2.47.208.246:23 -> 192.168.2.20:36318
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 2.47.208.246:23 -> 192.168.2.20:36318
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.229.187.147: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.96.180.205: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 160.20.156.111: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56144
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 175.29.130.127: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 72.48.120.12: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 12.37.173.49:23 -> 192.168.2.20:51128
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.73.24.156: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.66.124.168: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 98.220.208.122: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 156.236.13.23: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 166.63.204.162: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.239.13.208: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.125.52.126:23 -> 192.168.2.20:38346
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.125.52.126:23 -> 192.168.2.20:38346
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 47.94.171.178: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 114.32.242.146:23 -> 192.168.2.20:39884
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 114.32.242.146:23 -> 192.168.2.20:39884
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.82.47.8: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 80.245.118.35: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 218.92.148.101: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.199.215.140: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56220
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 83.162.167.222: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 62.156.58.101: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 89.0.242.195: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.210.199.196: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.247.152.253: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.56.77.9: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.68.172.73: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 166.88.56.157: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2023439 ET TROJAN Possible Linux.Mirai Login Attempt (hi3518) 192.168.2.20:54014 -> 14.162.147.40:23
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.193.93.128: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 195.46.172.182: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 172.87.22.139: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56242
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.76.111.164: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.125.52.126:23 -> 192.168.2.20:38456
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.125.52.126:23 -> 192.168.2.20:38456
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 172.17.174.166: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.11.158.141: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 95.112.255.135: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 80.134.37.225: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.76.62.143: -> 192.168.2.20:
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 123.175.97.232:23 -> 192.168.2.20:41234
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.215.61.94: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 185.246.38.135: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 104.252.55.124: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.212.34.113: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 114.32.242.146:23 -> 192.168.2.20:39990
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 114.32.242.146:23 -> 192.168.2.20:39990
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 103.192.163.206: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 2.202.78.253: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.78.200.215: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 116.50.33.33: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.0.229.180: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 185.182.10.224: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56260
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 210.59.11.34: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.227.246.220: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 71.15.46.22: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 220.227.241.118:23 -> 192.168.2.20:40212
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.248.88.123: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.96.212.231: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 133.242.233.145: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.125.52.126:23 -> 192.168.2.20:38486
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.125.52.126:23 -> 192.168.2.20:38486
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.213.252.154: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.183.58.149: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.194.123.97: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.123.69.197: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 46.88.159.18: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 83.68.94.254: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 150.95.105.189: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56288
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 213.133.70.4: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.77.210.222: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.96.81.255: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 172.89.46.66: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 70.95.189.49: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2023433 ET TROJAN Possible Linux.Mirai Login Attempt (7ujMko0admin) 192.168.2.20:54082 -> 14.162.147.40:23
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 45.94.164.101: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 2.47.208.246:23 -> 192.168.2.20:36512
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 2.47.208.246:23 -> 192.168.2.20:36512
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.74.179.121: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.65.159.173: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.203.129.146: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.8.26.243: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.251.129.177: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 114.32.242.146:23 -> 192.168.2.20:40042
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 114.32.242.146:23 -> 192.168.2.20:40042
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.97.114.74: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.102.144.196: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56334
Source: Traffic	Snort IDS: 716 INFO TELNET access 12.37.173.49:23 -> 192.168.2.20:51294
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.232.126.54: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.251.58.2: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.21.139.109: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.81.101.114: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.96.169.25: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 109.250.31.165: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 24.238.21.5: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 172.90.235.202: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.125.52.126:23 -> 192.168.2.20:38570
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.125.52.126:23 -> 192.168.2.20:38570
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 78.35.212.27: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.153.79.173: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52746
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 109.193.11.172: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 14.141.145.134: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 193.227.121.117: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56410
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.162.95.10: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 81.10.145.228: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52762
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.65.29.201: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.78.103.91: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 83.14.129.151: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 154.208.31.167: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.170.213: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2023434 ET TROJAN Possible Linux.Mirai Login Attempt (7ujMko0vizxv) 192.168.2.20:54202 -> 14.162.147.40:23
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.225.213.94: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.17.32.41: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 162.0.220.98: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52776
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.239.216.227: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 80.110.146.25: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.181.68.181: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 109.106.12.235: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 64.255.137.222: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 216.155.16.187: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 114.32.242.146:23 -> 192.168.2.20:40166
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 114.32.242.146:23 -> 192.168.2.20:40166
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.210.200.189: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52800
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.5.250.108: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 196.202.145.94: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56462
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.242.139.198: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.125.52.126:23 -> 192.168.2.20:38660
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.125.52.126:23 -> 192.168.2.20:38660
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.108.245: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52824
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 77.159.171.165: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.49.58.212: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.212.27.88: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 194.116.33.34: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 205.174.22.7: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 4.14.14.222: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 5.100.20.96: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.236.34.108: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.151.155.125: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.227.183.200: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52882
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 182.248.109.222: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 156.226.75.198: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52896
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.44.116.205: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.196.50.200: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 155.4.209.217:23 -> 192.168.2.20:36442
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.5.108.144: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.174.17.65: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.6.231.170: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52908
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.41.125.188: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.225.55.191: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 74.75.84.129: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52918
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 59.128.115.201: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.125.52.126:23 -> 192.168.2.20:38782
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.125.52.126:23 -> 192.168.2.20:38782
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 85.212.55.180: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.214.131.170: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.228.46.62: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 24.115.187.248: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 114.32.242.146:23 -> 192.168.2.20:40300
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 114.32.242.146:23 -> 192.168.2.20:40300
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.134.16.23: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52934
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 154.93.50.80: -> 192.168.2.20:

Opens /sys/class/net/* files useful for querying network interface information

Source: /usr/sbin/NetworkManager (PID: 4634)	Opens: /sys/class/net/ens160/uevent	Jump to behavior
Source: /usr/sbin/NetworkManager (PID: 4634)	Opens: /sys/class/net/	Jump to behavior
Source: /usr/sbin/NetworkManager (PID: 4634)	Opens: /sys/class/net/	Jump to behavior
Source: /usr/sbin/NetworkManager (PID: 4634)	Opens: /sys/class/net/ens160/phys_port_id	Jump to behavior
Source: /usr/sbin/NetworkManager (PID: 4634)	Opens: /sys/class/net/ens160/dev_id	Jump to behavior
Source: /usr/sbin/NetworkManager (PID: 4634)	Opens: /sys/class/net/lo/phys_port_id	Jump to behavior
Source: /usr/sbin/NetworkManager (PID: 4634)	Opens: /sys/class/net/lo/dev_id	Jump to behavior

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44096
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44100
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44102
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44106
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44116
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44122
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44128
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44140
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44156
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44158
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41462
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41466
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41470
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41482
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41486
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41492
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41506
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41520
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41534
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41560

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.20:35686 -> 37.230.137.227:1312

Sample listens on a socket

Source: /tmp/s54l0GKMh9 (PID: 4606)	Socket: 0.0.0.0::0	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4606)	Socket: 0.0.0.0::23	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4606)	Socket: 0.0.0.0::53413	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4606)	Socket: 0.0.0.0::80	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4606)	Socket: 0.0.0.0::52869	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4606)	Socket: 0.0.0.0::37215	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	Socket: 0.0.0.0::0	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	Socket: 0.0.0.0::23	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	Socket: 0.0.0.0::53413	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	Socket: 0.0.0.0::80	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	Socket: 0.0.0.0::52869	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	Socket: 0.0.0.0::37215	Jump to behavior
Source: /usr/sbin/sshd (PID: 4619)	Socket: 0.0.0.0::22	Jump to behavior
Source: /usr/sbin/sshd (PID: 4619)	Socket: [::]::22	Jump to behavior
Source: /usr/sbin/sshd (PID: 4742)	Socket: 0.0.0.0::22	Jump to behavior
Source: /usr/sbin/sshd (PID: 4742)	Socket: [::]::22	Jump to behavior
Source: /usr/sbin/sshd (PID: 4837)	Socket: 0.0.0.0::22	Jump to behavior
Source: /usr/sbin/sshd (PID: 4837)	Socket: [::]::22	Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 37.230.137.227
Source: unknown	TCP traffic detected without corresponding DNS query: 94.11.183.235
Source: unknown	TCP traffic detected without corresponding DNS query: 43.228.186.183
Source: unknown	TCP traffic detected without corresponding DNS query: 101.245.81.171
Source: unknown	TCP traffic detected without corresponding DNS query: 192.100.29.235
Source: unknown	TCP traffic detected without corresponding DNS query: 35.81.236.243
Source: unknown	TCP traffic detected without corresponding DNS query: 95.31.193.172
Source: unknown	TCP traffic detected without corresponding DNS query: 31.161.65.250
Source: unknown	TCP traffic detected without corresponding DNS query: 2.188.133.72
Source: unknown	TCP traffic detected without corresponding DNS query: 42.215.143.223
Source: unknown	TCP traffic detected without corresponding DNS query: 81.104.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 47.254.224.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.112.29.45
Source: unknown	TCP traffic detected without corresponding DNS query: 141.134.239.140
Source: unknown	TCP traffic detected without corresponding DNS query: 118.134.211.41
Source: unknown	TCP traffic detected without corresponding DNS query: 164.172.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 161.170.8.82
Source: unknown	TCP traffic detected without corresponding DNS query: 142.107.119.49
Source: unknown	TCP traffic detected without corresponding DNS query: 19.44.138.129
Source: unknown	TCP traffic detected without corresponding DNS query: 151.57.1.66
Source: unknown	TCP traffic detected without corresponding DNS query: 74.24.122.189
Source: unknown	TCP traffic detected without corresponding DNS query: 221.0.37.191
Source: unknown	TCP traffic detected without corresponding DNS query: 193.145.245.157
Source: unknown	TCP traffic detected without corresponding DNS query: 159.216.86.202
Source: unknown	TCP traffic detected without corresponding DNS query: 169.95.182.113
Source: unknown	TCP traffic detected without corresponding DNS query: 98.168.21.251
Source: unknown	TCP traffic detected without corresponding DNS query: 203.103.124.207
Source: unknown	TCP traffic detected without corresponding DNS query: 178.18.221.8
Source: unknown	TCP traffic detected without corresponding DNS query: 126.252.109.132
Source: unknown	TCP traffic detected without corresponding DNS query: 1.84.180.138
Source: unknown	TCP traffic detected without corresponding DNS query: 91.232.79.124
Source: unknown	TCP traffic detected without corresponding DNS query: 178.118.235.5
Source: unknown	TCP traffic detected without corresponding DNS query: 203.159.124.52
Source: unknown	TCP traffic detected without corresponding DNS query: 179.254.87.123
Source: unknown	TCP traffic detected without corresponding DNS query: 106.154.192.213
Source: unknown	TCP traffic detected without corresponding DNS query: 45.183.83.195
Source: unknown	TCP traffic detected without corresponding DNS query: 98.97.137.140
Source: unknown	TCP traffic detected without corresponding DNS query: 252.19.172.233
Source: unknown	TCP traffic detected without corresponding DNS query: 203.188.181.148
Source: unknown	TCP traffic detected without corresponding DNS query: 13.211.246.7
Source: unknown	TCP traffic detected without corresponding DNS query: 162.140.123.190
Source: unknown	TCP traffic detected without corresponding DNS query: 16.60.67.57
Source: unknown	TCP traffic detected without corresponding DNS query: 240.157.238.207
Source: unknown	TCP traffic detected without corresponding DNS query: 166.188.169.2
Source: unknown	TCP traffic detected without corresponding DNS query: 182.18.85.29
Source: unknown	TCP traffic detected without corresponding DNS query: 114.34.19.155
Source: unknown	TCP traffic detected without corresponding DNS query: 246.180.130.239
Source: unknown	TCP traffic detected without corresponding DNS query: 217.53.192.25
Source: unknown	TCP traffic detected without corresponding DNS query: 252.224.142.166
Source: unknown	TCP traffic detected without corresponding DNS query: 38.159.94.88

Source: s54l0GKMh9

String found in binary or memory: http://upx.sf.net

System Summary:

Sample tries to kill many processes (SIGKILL)

Source: /tmp/s54l0GKMh9 (PID: 4606)	SIGKILL sent: pid: 1339, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 4606, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 1059, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 1065, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 1091, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 1362, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 1363, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3289, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3308, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3484, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3491, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3496, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3501, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3596, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3601, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3606, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3611, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3616, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3790, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3791, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 4614, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 4619, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 4634, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 4699, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 4742, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 4611, result: successful	Jump to behavior

Sample contains only a LOAD segment without any section mappings

Source: LOAD without section mappings

Program segment: 0x100000

Sample tries to kill a process (SIGKILL)

Source: /tmp/s54l0GKMh9 (PID: 4606)	SIGKILL sent: pid: 1339, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 4606, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 1059, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 1065, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 1091, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 1362, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 1363, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3289, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3308, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3484, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3491, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3496, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3501, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3596, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3601, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3606, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3611, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3616, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3790, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3791, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 4614, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 4619, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 4634, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 4699, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 4742, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 4611, result: successful	Jump to behavior

Source: classification engine

Classification label: mal80.spre.troj.spyw.evad.lin@0/8@0/0

Data Obfuscation:

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior:

Creates hidden files and/or directories

Source: /usr/sbin/NetworkManager (PID: 4634)

Directory: /root/.cache

Jump to behavior

Enumerates processes within the "proc" file system

Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1091/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1065/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1062/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1084/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1095/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1072/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1060/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/550/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/496/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1017/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1059/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1024/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1145/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/535/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1078/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1155/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1119/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1339/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1065/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1065/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1065/exe	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3485/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3485/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3485/exe	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3485/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3485/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3484/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3484/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3484/exe	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1062/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1062/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1062/exe	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1062/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1062/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3482/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3482/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3482/exe	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3482/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3482/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3481/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3481/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3481/exe	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3481/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3481/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1060/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1060/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1060/exe	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1060/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1060/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/4606/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/4606/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/4608/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/4608/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/4608/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1059/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1059/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1059/exe	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3479/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3479/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3479/exe	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3479/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3479/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3512/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3512/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3512/exe	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3512/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3512/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3477/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3477/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3477/exe	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3477/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3477/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1452/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1452/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1452/exe	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1452/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1452/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/514/exe	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3632/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3632/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3632/exe	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3632/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3632/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/519/exe	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3518/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3518/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3518/exe	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3518/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3518/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3497/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3497/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3497/exe	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3497/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3497/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3133/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3133/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3133/exe	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3133/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3133/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3496/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3496/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3496/exe	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1072/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1072/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1072/exe	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1072/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1072/fd	Jump to behavior

Reads system information from the proc file system

Source: /usr/lib/snapd/snapd (PID: 4699)	Reads from proc file: /proc/sys/net/core/somaxconn	Jump to behavior
Source: /usr/lib/snapd/snapd (PID: 4699)	Reads from proc file: /proc/sys/kernel/hostname	Jump to behavior
Source: /usr/lib/snapd/snapd (PID: 4816)	Reads from proc file: /proc/sys/net/core/somaxconn	Jump to behavior
Source: /usr/lib/snapd/snapd (PID: 4816)	Reads from proc file: /proc/sys/kernel/hostname	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44096
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44100
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44102
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44106
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44116
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44122
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44128
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44140
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44156
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44158
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41462
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41466
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41470
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41482
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41486
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41492
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41506
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41520
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41534
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41560

Malware Analysis System Evasion:

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/s54l0GKMh9 (PID: 4589)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/sbin/NetworkManager (PID: 4634)	Queries kernel information via 'uname':	Jump to behavior
Source: /lib/systemd/systemd-hostnamed (PID: 4674)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/lib/snapd/snapd (PID: 4699)	Queries kernel information via 'uname':	Jump to behavior
Source: /lib/systemd/systemd-hostnamed (PID: 4794)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/lib/snapd/snapd (PID: 4816)	Queries kernel information via 'uname':	Jump to behavior

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
106.114.147.23	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
96.203.126.160	unknown	United States	7922	COMCAST-7922US	false
203.210.130.208	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
242.51.200.14	unknown	Reserved	unknown	unknown	false
69.79.2.213	unknown	United States	23520	COLUMBUS-NETWORKSUS	false
89.133.164.83	unknown	Hungary	6830	LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding	false
47.38.71.139	unknown	United States	20115	CHARTER-20115US	false
218.39.74.160	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
223.37.188.117	unknown	Korea Republic of	9644	SKTELECOM-NET-ASSKTelecomKR	false
195.15.200.99	unknown	Switzerland	12350	VTX-NETWORKCH	false
59.89.254.145	unknown	India	9829	BSNL-NIBNationalInternetBackboneIN	false
44.43.86.40	unknown	United States	7377	UCSDUS	false
94.20.234.131	unknown	Azerbaijan	199731	NAKHINTERNET-ISPAZ	false
160.79.21.199	unknown	United States	24867	ADAPT-ASGB	false
99.250.223.76	unknown	Canada	812	ROGERS-COMMUNICATIONSCA	false
109.124.248.94	unknown	Russian Federation	35032	TAHIONISP-ASRU	false
139.240.73.123	unknown	United States	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
90.54.152.98	unknown	France	3215	FranceTelecom-OrangeFR	false
252.134.181.234	unknown	Reserved	unknown	unknown	false
203.66.61.49	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
168.236.44.110	unknown	United States	3136	STATE-OF-WISCONSIN-AS1US	false
200.209.218.229	unknown	Brazil	4230	CLAROSABR	false
151.50.163.103	unknown	Italy	1267	ASN-WINDTREIUNETEU	false
42.50.47.134	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
252.47.186.21	unknown	Reserved	unknown	unknown	false
102.200.137.34	unknown	unknown	36926	CKL1-ASNKE	false
216.116.80.116	unknown	United States	14010	JACKHENRYUS	false
189.215.130.159	unknown	Mexico	28538	CablemasTelecomunicacionesSAdeCVMX	false
152.136.225.31	unknown	China	45090	CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa	false
198.209.55.33	unknown	United States	26934	UNIVERSITY-OF-MISSOURI---COLUMBIAUS	false
60.237.160.8	unknown	Japan	2518	BIGLOBEBIGLOBEIncJP	false
193.169.96.22	unknown	Russian Federation	49510	TCV-ASCZ	false
24.131.135.95	unknown	United States	7922	COMCAST-7922US	false
153.144.115.36	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
23.190.64.85	unknown	United States	394256	CLOUDSINGULARITYCA	false
167.4.234.142	unknown	United States	51964	ORANGE-BUSINESS-SERVICES-IPSN-ASNFR	false
103.120.250.186	unknown	India	17665	IN2CABLE-APASNumberofIndusindMediaandcommunicationLt	false
160.248.62.37	unknown	Japan	2514	INFOSPHERENTTPCCommunicationsIncJP	false
5.51.2.160	unknown	France	5410	BOUYGTEL-ISPFR	false
125.160.53.234	unknown	Indonesia	7713	TELKOMNET-AS-APPTTelekomunikasiIndonesiaID	false
142.247.130.1	unknown	Saudi Arabia	25019	SAUDINETSTC-ASSA	false
109.248.108.198	unknown	Russian Federation	28917	FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics	false
250.106.144.35	unknown	Reserved	unknown	unknown	false
114.69.243.154	unknown	India	18002	WORLDPHONE-INASNumberforInterdomainRoutingIN	false
163.189.225.254	unknown	Australia	55542	RMSNET-AS-APRoadsandMaritimeServicesAU	false
196.215.73.129	unknown	South Africa	3741	ISZA	false
98.101.210.191	unknown	United States	11426	TWC-11426-CAROLINASUS	false
66.66.21.33	unknown	United States	11351	TWC-11351-NORTHEASTUS	false
250.76.10.0	unknown	Reserved	unknown	unknown	false
147.116.206.235	unknown	United States	766	REDIRISRedIRISAutonomousSystemES	false
188.83.167.211	unknown	Portugal	3243	MEO-RESIDENCIALPT	false
107.248.194.130	unknown	United States	7018	ATT-INTERNET4US	false
35.23.30.138	unknown	United States	36375	UMICH-AS-5US	false
97.146.192.157	unknown	United States	6167	CELLCO-PARTUS	false
155.41.128.74	unknown	United States	111	BOSTONU-ASUS	false
32.192.89.13	unknown	United States	2686	ATGS-MMD-ASUS	false
17.41.75.245	unknown	United States	714	APPLE-ENGINEERINGUS	false
185.205.152.125	unknown	Poland	205706	LEGMANPL	false
157.37.76.71	unknown	India	55836	RELIANCEJIO-INRelianceJioInfocommLimitedIN	false
197.100.167.157	unknown	South Africa	3741	ISZA	false
160.232.244.58	unknown	United States	11259	ANGOLATELECOMAO	false
152.150.46.109	unknown	United Kingdom	10455	LUCENT-CIOUS	false
188.211.223.60	unknown	Iran (ISLAMIC Republic Of)	58224	TCIIR	false
195.97.85.116	unknown	Greece	3329	HOL-GRAthensGreeceGR	false
200.130.28.164	unknown	Brazil	1916	AssociacaoRedeNacionaldeEnsinoePesquisaBR	false
115.76.248.177	unknown	Viet Nam	7552	VIETEL-AS-APViettelGroupVN	false
217.215.135.185	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	false
161.25.164.196	unknown	Chile	1916	AssociacaoRedeNacionaldeEnsinoePesquisaBR	false
223.28.184.116	unknown	Korea Republic of	17597	SAEROMNET-AS-KRTBROADSaeromNamdongSeohaebroadcastingKR	false
12.243.182.108	unknown	United States	7018	ATT-INTERNET4US	false
175.114.50.218	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
38.95.43.246	unknown	United States	174	COGENT-174US	false
121.165.152.132	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
180.244.198.4	unknown	Indonesia	7713	TELKOMNET-AS-APPTTelekomunikasiIndonesiaID	false
176.104.41.175	unknown	Ukraine	41435	UNDERNET-AS1UA	false
101.184.26.83	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	false
211.40.186.144	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	false
16.108.127.103	unknown	United States	unknown	unknown	false
32.35.17.51	unknown	United States	2686	ATGS-MMD-ASUS	false
121.33.183.226	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
183.105.180.39	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
95.240.28.160	unknown	Italy	3269	ASN-IBSNAZIT	false
249.108.201.111	unknown	Reserved	unknown	unknown	false
37.35.120.99	unknown	Switzerland	15600	FINECOMQuicklineAGCH	false
16.111.181.7	unknown	United States	unknown	unknown	false
106.199.18.119	unknown	India	45609	BHARTI-MOBILITY-AS-APBhartiAirtelLtdASforGPRSService	false
245.129.132.24	unknown	Reserved	unknown	unknown	false
126.208.173.196	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
85.164.4.5	unknown	Norway	2119	TELENOR-NEXTELTelenorNorgeASNO	false
62.122.50.178	unknown	Russian Federation	47530	NVTC-ASRU	false
196.253.231.70	unknown	South Africa	8094	PUKNETZA	false
92.242.80.177	unknown	Russian Federation	8371	VIMPELCOM-NNVimpelcomNizhniyNovgorodbranchfixednetwo	false
211.118.236.136	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	false
1.58.95.38	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
124.13.77.47	unknown	Malaysia	4788	TMNET-AS-APTMNetInternetServiceProviderMY	false
218.223.148.221	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
211.188.255.117	unknown	Korea Republic of	9644	SKTELECOM-NET-ASSKTelecomKR	false
89.252.43.211	unknown	Ukraine	31148	FREENET_LLCUA	false
102.154.176.208	unknown	Tunisia	5438	ATI-TN	false
147.215.163.231	unknown	France	2439	FR-REMUSMANofthePolytechnicumEU	false

Name	Type	MD5	SHA1	SHA256
/proc/4619/oom_score_adj	ASCII text	CBF282CC55ED0792C33D10003D1F760A	007DD8BD75468E6B7ABA4285E9B267202C7EAEED	FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
/proc/4742/oom_score_adj	ASCII text	CBF282CC55ED0792C33D10003D1F760A	007DD8BD75468E6B7ABA4285E9B267202C7EAEED	FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
/proc/4837/oom_score_adj	ASCII text	CBF282CC55ED0792C33D10003D1F760A	007DD8BD75468E6B7ABA4285E9B267202C7EAEED	FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
/run/sshd.pid	ASCII text	5C68D6A05A8B8B31C96516DE3C3717C5	C9649ED14F0E4B92708AA8B5C5A38C74AABF41F5	0BD44605189C73432176FE2D51B8262ECBB15FAA13E0F83EA7637DF1C08C9808
/var/cache/snapd/sections.VkT7rk09P4mD	ASCII text	966FD91045792732666DBA4D113B0D48	9DCADCCCE036C48AEADCA9632A6E8EBADC69EE18	244EB764054FECCD5D77FAD9273ECC7C1B427551FA153876C889C59D1959630D
/var/cache/snapd/sections.g6T4kvDRndCj	ASCII text	966FD91045792732666DBA4D113B0D48	9DCADCCCE036C48AEADCA9632A6E8EBADC69EE18	244EB764054FECCD5D77FAD9273ECC7C1B427551FA153876C889C59D1959630D

AV Detection:

Multi AV Scanner detection for submitted file

Source: s54l0GKMh9	Virustotal: Detection: 34%			Perma Link
Source: s54l0GKMh9	ReversingLabs: Detection: 39%

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.97.173.69: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 109.239.134.147: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.117.198.127: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 78.94.73.210: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 96.87.80.167: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 109.193.54.146: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.57.194.76: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.175.40.225: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.65.146.78: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.128.125.240: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.7.72.164: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.77.64.1: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.0.88.236: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 50.220.200.185: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 196.203.188.37:23 -> 192.168.2.20:56342
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.100.1.71: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 151.81.134.100: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.126.109: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 196.203.188.37:23 -> 192.168.2.20:56352
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 68.187.254.176: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 196.203.188.37:23 -> 192.168.2.20:56364
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.252.195.84: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.139.128.1: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 156.226.116.47: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 193.83.36.251: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.203.64.67: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 46.93.108.4: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.245.230.11: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 46.223.136.125: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.160.159.108: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 78.42.90.43: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 210.131.34.15: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 112.120.244.105: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 80.118.92.214: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.54.124.128: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 62.94.223.244: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 83.68.20.128: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.228.136.2: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.192.74.112: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 178.159.243.115: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.211.32.232: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.6.100.149: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 185.251.46.189: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 153.153.224.90: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.110.92.134: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 37.209.118.120: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 95.90.167.134: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 133.242.50.126: -> 192.168.2.20:
Source: Traffic	Snort IDS: 404 ICMP Destination Unreachable Protocol Unreachable 81.191.234.151: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 168.206.86.57: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 203.66.251.1: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.161.101: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 83.209.73.145: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.201.149.82: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.35.117.39: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 146.212.169.207: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.64.108.192: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 164.68.232.22: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.193.0.80: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 108.167.73.59: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 218.60.102.156: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 185.54.120.139: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.198.147.179: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.72.75.59: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 2.202.116.68: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.168.204.122: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56104
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.94.5.25: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 4.59.184.10: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.234.184.23: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.56.30.148: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.125.52.126:23 -> 192.168.2.20:38326
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.125.52.126:23 -> 192.168.2.20:38326
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 115.255.239.37: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 81.221.214.38: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 80.157.128.213: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56114
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 37.201.220.22: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.159.227.35: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 45.201.245.80: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 210.211.102.99: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 83.163.43.140: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 82.58.53.174: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 85.199.98.128: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.2.108.14: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 2.47.208.246:23 -> 192.168.2.20:36318
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 2.47.208.246:23 -> 192.168.2.20:36318
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.229.187.147: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.96.180.205: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 160.20.156.111: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56144
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 175.29.130.127: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 72.48.120.12: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 12.37.173.49:23 -> 192.168.2.20:51128
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.73.24.156: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.66.124.168: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 98.220.208.122: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 156.236.13.23: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 166.63.204.162: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.239.13.208: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.125.52.126:23 -> 192.168.2.20:38346
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.125.52.126:23 -> 192.168.2.20:38346
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 47.94.171.178: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 114.32.242.146:23 -> 192.168.2.20:39884
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 114.32.242.146:23 -> 192.168.2.20:39884
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.82.47.8: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 80.245.118.35: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 218.92.148.101: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.199.215.140: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56220
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 83.162.167.222: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 62.156.58.101: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 89.0.242.195: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.210.199.196: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.247.152.253: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.56.77.9: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.68.172.73: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 166.88.56.157: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2023439 ET TROJAN Possible Linux.Mirai Login Attempt (hi3518) 192.168.2.20:54014 -> 14.162.147.40:23
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.193.93.128: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 195.46.172.182: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 172.87.22.139: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56242
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.76.111.164: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.125.52.126:23 -> 192.168.2.20:38456
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.125.52.126:23 -> 192.168.2.20:38456
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 172.17.174.166: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.11.158.141: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 95.112.255.135: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 80.134.37.225: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.76.62.143: -> 192.168.2.20:
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 123.175.97.232:23 -> 192.168.2.20:41234
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.215.61.94: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 185.246.38.135: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 104.252.55.124: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.212.34.113: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 114.32.242.146:23 -> 192.168.2.20:39990
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 114.32.242.146:23 -> 192.168.2.20:39990
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 103.192.163.206: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 2.202.78.253: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.78.200.215: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 116.50.33.33: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.0.229.180: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 185.182.10.224: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56260
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 210.59.11.34: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.227.246.220: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 71.15.46.22: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 220.227.241.118:23 -> 192.168.2.20:40212
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.248.88.123: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.96.212.231: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 133.242.233.145: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.125.52.126:23 -> 192.168.2.20:38486
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.125.52.126:23 -> 192.168.2.20:38486
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.213.252.154: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.183.58.149: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.194.123.97: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.123.69.197: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 46.88.159.18: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 83.68.94.254: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 150.95.105.189: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56288
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 213.133.70.4: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.77.210.222: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.96.81.255: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 172.89.46.66: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 70.95.189.49: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2023433 ET TROJAN Possible Linux.Mirai Login Attempt (7ujMko0admin) 192.168.2.20:54082 -> 14.162.147.40:23
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 45.94.164.101: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 2.47.208.246:23 -> 192.168.2.20:36512
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 2.47.208.246:23 -> 192.168.2.20:36512
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.74.179.121: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.65.159.173: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.203.129.146: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.8.26.243: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.251.129.177: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 114.32.242.146:23 -> 192.168.2.20:40042
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 114.32.242.146:23 -> 192.168.2.20:40042
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.97.114.74: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.102.144.196: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56334
Source: Traffic	Snort IDS: 716 INFO TELNET access 12.37.173.49:23 -> 192.168.2.20:51294
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.232.126.54: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.251.58.2: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.21.139.109: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.81.101.114: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.96.169.25: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 109.250.31.165: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 24.238.21.5: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 172.90.235.202: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.125.52.126:23 -> 192.168.2.20:38570
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.125.52.126:23 -> 192.168.2.20:38570
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 78.35.212.27: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.153.79.173: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52746
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 109.193.11.172: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 14.141.145.134: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 193.227.121.117: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56410
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.162.95.10: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 81.10.145.228: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52762
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.65.29.201: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.78.103.91: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 83.14.129.151: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 154.208.31.167: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.170.213: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2023434 ET TROJAN Possible Linux.Mirai Login Attempt (7ujMko0vizxv) 192.168.2.20:54202 -> 14.162.147.40:23
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.225.213.94: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.17.32.41: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 162.0.220.98: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52776
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.239.216.227: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 80.110.146.25: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.181.68.181: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 109.106.12.235: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 64.255.137.222: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 216.155.16.187: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 114.32.242.146:23 -> 192.168.2.20:40166
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 114.32.242.146:23 -> 192.168.2.20:40166
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.210.200.189: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52800
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.5.250.108: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 196.202.145.94: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56462
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.242.139.198: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.125.52.126:23 -> 192.168.2.20:38660
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.125.52.126:23 -> 192.168.2.20:38660
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.108.245: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52824
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 77.159.171.165: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.49.58.212: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.212.27.88: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 194.116.33.34: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 205.174.22.7: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 4.14.14.222: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 5.100.20.96: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.236.34.108: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.151.155.125: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.227.183.200: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52882
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 182.248.109.222: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 156.226.75.198: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52896
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.44.116.205: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.196.50.200: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 155.4.209.217:23 -> 192.168.2.20:36442
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.5.108.144: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.174.17.65: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.6.231.170: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52908
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.41.125.188: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.225.55.191: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 74.75.84.129: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52918
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 59.128.115.201: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.125.52.126:23 -> 192.168.2.20:38782
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.125.52.126:23 -> 192.168.2.20:38782
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 85.212.55.180: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.214.131.170: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.228.46.62: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 24.115.187.248: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 114.32.242.146:23 -> 192.168.2.20:40300
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 114.32.242.146:23 -> 192.168.2.20:40300
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.134.16.23: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52934
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 154.93.50.80: -> 192.168.2.20:

Opens /sys/class/net/* files useful for querying network interface information

Source: /usr/sbin/NetworkManager (PID: 4634)	Opens: /sys/class/net/ens160/uevent	Jump to behavior
Source: /usr/sbin/NetworkManager (PID: 4634)	Opens: /sys/class/net/	Jump to behavior
Source: /usr/sbin/NetworkManager (PID: 4634)	Opens: /sys/class/net/	Jump to behavior
Source: /usr/sbin/NetworkManager (PID: 4634)	Opens: /sys/class/net/ens160/phys_port_id	Jump to behavior
Source: /usr/sbin/NetworkManager (PID: 4634)	Opens: /sys/class/net/ens160/dev_id	Jump to behavior
Source: /usr/sbin/NetworkManager (PID: 4634)	Opens: /sys/class/net/lo/phys_port_id	Jump to behavior
Source: /usr/sbin/NetworkManager (PID: 4634)	Opens: /sys/class/net/lo/dev_id	Jump to behavior

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44096
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44100
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44102
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44106
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44116
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44122
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44128
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44140
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44156
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44158
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41462
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41466
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41470
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41482
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41486
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41492
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41506
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41520
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41534
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41560

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.20:35686 -> 37.230.137.227:1312

Sample listens on a socket

Source: /tmp/s54l0GKMh9 (PID: 4606)	Socket: 0.0.0.0::0	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4606)	Socket: 0.0.0.0::23	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4606)	Socket: 0.0.0.0::53413	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4606)	Socket: 0.0.0.0::80	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4606)	Socket: 0.0.0.0::52869	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4606)	Socket: 0.0.0.0::37215	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	Socket: 0.0.0.0::0	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	Socket: 0.0.0.0::23	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	Socket: 0.0.0.0::53413	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	Socket: 0.0.0.0::80	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	Socket: 0.0.0.0::52869	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	Socket: 0.0.0.0::37215	Jump to behavior
Source: /usr/sbin/sshd (PID: 4619)	Socket: 0.0.0.0::22	Jump to behavior
Source: /usr/sbin/sshd (PID: 4619)	Socket: [::]::22	Jump to behavior
Source: /usr/sbin/sshd (PID: 4742)	Socket: 0.0.0.0::22	Jump to behavior
Source: /usr/sbin/sshd (PID: 4742)	Socket: [::]::22	Jump to behavior
Source: /usr/sbin/sshd (PID: 4837)	Socket: 0.0.0.0::22	Jump to behavior
Source: /usr/sbin/sshd (PID: 4837)	Socket: [::]::22	Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 37.230.137.227
Source: unknown	TCP traffic detected without corresponding DNS query: 94.11.183.235
Source: unknown	TCP traffic detected without corresponding DNS query: 43.228.186.183
Source: unknown	TCP traffic detected without corresponding DNS query: 101.245.81.171
Source: unknown	TCP traffic detected without corresponding DNS query: 192.100.29.235
Source: unknown	TCP traffic detected without corresponding DNS query: 35.81.236.243
Source: unknown	TCP traffic detected without corresponding DNS query: 95.31.193.172
Source: unknown	TCP traffic detected without corresponding DNS query: 31.161.65.250
Source: unknown	TCP traffic detected without corresponding DNS query: 2.188.133.72
Source: unknown	TCP traffic detected without corresponding DNS query: 42.215.143.223
Source: unknown	TCP traffic detected without corresponding DNS query: 81.104.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 47.254.224.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.112.29.45
Source: unknown	TCP traffic detected without corresponding DNS query: 141.134.239.140
Source: unknown	TCP traffic detected without corresponding DNS query: 118.134.211.41
Source: unknown	TCP traffic detected without corresponding DNS query: 164.172.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 161.170.8.82
Source: unknown	TCP traffic detected without corresponding DNS query: 142.107.119.49
Source: unknown	TCP traffic detected without corresponding DNS query: 19.44.138.129
Source: unknown	TCP traffic detected without corresponding DNS query: 151.57.1.66
Source: unknown	TCP traffic detected without corresponding DNS query: 74.24.122.189
Source: unknown	TCP traffic detected without corresponding DNS query: 221.0.37.191
Source: unknown	TCP traffic detected without corresponding DNS query: 193.145.245.157
Source: unknown	TCP traffic detected without corresponding DNS query: 159.216.86.202
Source: unknown	TCP traffic detected without corresponding DNS query: 169.95.182.113
Source: unknown	TCP traffic detected without corresponding DNS query: 98.168.21.251
Source: unknown	TCP traffic detected without corresponding DNS query: 203.103.124.207
Source: unknown	TCP traffic detected without corresponding DNS query: 178.18.221.8
Source: unknown	TCP traffic detected without corresponding DNS query: 126.252.109.132
Source: unknown	TCP traffic detected without corresponding DNS query: 1.84.180.138
Source: unknown	TCP traffic detected without corresponding DNS query: 91.232.79.124
Source: unknown	TCP traffic detected without corresponding DNS query: 178.118.235.5
Source: unknown	TCP traffic detected without corresponding DNS query: 203.159.124.52
Source: unknown	TCP traffic detected without corresponding DNS query: 179.254.87.123
Source: unknown	TCP traffic detected without corresponding DNS query: 106.154.192.213
Source: unknown	TCP traffic detected without corresponding DNS query: 45.183.83.195
Source: unknown	TCP traffic detected without corresponding DNS query: 98.97.137.140
Source: unknown	TCP traffic detected without corresponding DNS query: 252.19.172.233
Source: unknown	TCP traffic detected without corresponding DNS query: 203.188.181.148
Source: unknown	TCP traffic detected without corresponding DNS query: 13.211.246.7
Source: unknown	TCP traffic detected without corresponding DNS query: 162.140.123.190
Source: unknown	TCP traffic detected without corresponding DNS query: 16.60.67.57
Source: unknown	TCP traffic detected without corresponding DNS query: 240.157.238.207
Source: unknown	TCP traffic detected without corresponding DNS query: 166.188.169.2
Source: unknown	TCP traffic detected without corresponding DNS query: 182.18.85.29
Source: unknown	TCP traffic detected without corresponding DNS query: 114.34.19.155
Source: unknown	TCP traffic detected without corresponding DNS query: 246.180.130.239
Source: unknown	TCP traffic detected without corresponding DNS query: 217.53.192.25
Source: unknown	TCP traffic detected without corresponding DNS query: 252.224.142.166
Source: unknown	TCP traffic detected without corresponding DNS query: 38.159.94.88

Source: s54l0GKMh9

String found in binary or memory: http://upx.sf.net

System Summary:

Sample tries to kill many processes (SIGKILL)

Source: /tmp/s54l0GKMh9 (PID: 4606)	SIGKILL sent: pid: 1339, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 4606, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 1059, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 1065, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 1091, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 1362, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 1363, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3289, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3308, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3484, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3491, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3496, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3501, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3596, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3601, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3606, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3611, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3616, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3790, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3791, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 4614, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 4619, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 4634, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 4699, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 4742, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 4611, result: successful	Jump to behavior

Sample contains only a LOAD segment without any section mappings

Source: LOAD without section mappings

Program segment: 0x100000

Sample tries to kill a process (SIGKILL)

Source: /tmp/s54l0GKMh9 (PID: 4606)	SIGKILL sent: pid: 1339, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 4606, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 1059, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 1065, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 1091, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 1362, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 1363, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3289, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3308, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3484, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3491, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3496, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3501, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3596, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3601, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3606, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3611, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3616, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3790, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3791, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 4614, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 4619, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 4634, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 4699, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 4742, result: successful	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 4611, result: successful	Jump to behavior

Source: classification engine

Classification label: mal80.spre.troj.spyw.evad.lin@0/8@0/0

Data Obfuscation:

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior:

Creates hidden files and/or directories

Source: /usr/sbin/NetworkManager (PID: 4634)

Directory: /root/.cache

Jump to behavior

Enumerates processes within the "proc" file system

Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1091/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1065/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1062/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1084/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1095/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1072/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1060/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/550/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/496/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1017/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1059/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1024/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1145/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/535/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1078/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1155/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1119/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1339/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1065/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1065/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1065/exe	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3485/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3485/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3485/exe	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3485/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3485/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3484/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3484/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3484/exe	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1062/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1062/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1062/exe	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1062/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1062/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3482/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3482/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3482/exe	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3482/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3482/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3481/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3481/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3481/exe	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3481/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3481/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1060/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1060/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1060/exe	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1060/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1060/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/4606/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/4606/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/4608/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/4608/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/4608/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1059/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1059/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1059/exe	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3479/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3479/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3479/exe	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3479/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3479/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3512/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3512/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3512/exe	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3512/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3512/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3477/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3477/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3477/exe	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3477/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3477/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1452/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1452/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1452/exe	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1452/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1452/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/514/exe	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3632/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3632/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3632/exe	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3632/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3632/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/519/exe	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3518/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3518/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3518/exe	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3518/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3518/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3497/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3497/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3497/exe	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3497/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3497/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3133/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3133/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3133/exe	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3133/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3133/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3496/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3496/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3496/exe	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1072/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1072/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1072/exe	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1072/fd	Jump to behavior
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1072/fd	Jump to behavior

Reads system information from the proc file system

Source: /usr/lib/snapd/snapd (PID: 4699)	Reads from proc file: /proc/sys/net/core/somaxconn	Jump to behavior
Source: /usr/lib/snapd/snapd (PID: 4699)	Reads from proc file: /proc/sys/kernel/hostname	Jump to behavior
Source: /usr/lib/snapd/snapd (PID: 4816)	Reads from proc file: /proc/sys/net/core/somaxconn	Jump to behavior
Source: /usr/lib/snapd/snapd (PID: 4816)	Reads from proc file: /proc/sys/kernel/hostname	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44096
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44100
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44102
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44106
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44116
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44122
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44128
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44140
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44156
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44158
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41462
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41466
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41470
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41482
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41486
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41492
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41506
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41520
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41534
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41560

Malware Analysis System Evasion:

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/s54l0GKMh9 (PID: 4589)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/sbin/NetworkManager (PID: 4634)	Queries kernel information via 'uname':	Jump to behavior
Source: /lib/systemd/systemd-hostnamed (PID: 4674)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/lib/snapd/snapd (PID: 4699)	Queries kernel information via 'uname':	Jump to behavior
Source: /lib/systemd/systemd-hostnamed (PID: 4794)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/lib/snapd/snapd (PID: 4816)	Queries kernel information via 'uname':	Jump to behavior

ID:	452440
Product:	CloudBasic
Start time:	11:08:27
Start date:	22.07.2021
Sample:	s54l0GKMh9
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Architecture:	LINUX
MD5:	1a11fb2e59573ff9c8461a5998496ec4
SHA1:	0ac1b218948da361997a3dbf43859cedf732bc88
SHA256:	874f3a399fb4a6a3c99f86f6417c388b254e206f5bef96fb3b33bc38cac020dd
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Linux Analysis Report s54l0GKMh9

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Screenshots

Network Map

Contacted Public IPs