Play interactive tour

Edit tour

Linux Analysis Report s54l0GKMh9

Overview

General Information

Sample Name:	s54l0GKMh9
Analysis ID:	452440
MD5:	1a11fb2e59573ff9c8461a5998496ec4
SHA1:	0ac1b218948da361997a3dbf43859cedf732bc88
SHA256:	874f3a399fb4a6a3c99f86f6417c388b254e206f5bef96fb3b33bc38cac020dd
Tags:	32elfmipsmirai
Infos:

Detection

Mirai

Score:	80
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Mirai

Opens /sys/class/net/* files useful for querying network interface information

Sample is packed with UPX

Sample tries to kill many processes (SIGKILL)

Uses known network protocols on non-standard ports

Creates hidden files and/or directories

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Reads system information from the proc file system

Sample contains only a LOAD segment without any section mappings

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine

Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	452440
Start date:	22.07.2021
Start time:	11:08:27
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 40s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	s54l0GKMh9
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Analysis Mode:	default
Detection:	MAL
Classification:	mal80.spre.troj.spyw.evad.lin@0/8@0/0
Warnings:	Show All Excluded IPs from analysis (whitelisted): 91.189.92.19, 91.189.92.39, 91.189.92.41, 91.189.92.38, 91.189.92.40, 91.189.92.20 TCP Packets have been reduced to 100 Excluded domains from analysis (whitelisted): api.snapcraft.io Report size exceeded maximum capacity and may have missing network information.

Process Tree

system is lnxubuntu1

s54l0GKMh9 (PID: 4589, Parent: 4518, MD5: 1a11fb2e59573ff9c8461a5998496ec4) Arguments: /usr/bin/qemu-mipsel /tmp/s54l0GKMh9

s54l0GKMh9 New Fork (PID: 4606, Parent: 4589)

s54l0GKMh9 New Fork (PID: 4607, Parent: 4589)

s54l0GKMh9 New Fork (PID: 4608, Parent: 4589)

s54l0GKMh9 New Fork (PID: 4611, Parent: 4608)

s54l0GKMh9 New Fork (PID: 4613, Parent: 4608)

s54l0GKMh9 New Fork (PID: 4614, Parent: 4608)

systemd New Fork (PID: 4619, Parent: 1)

sshd (PID: 4619, Parent: 1, MD5: 661b2a2da3b6c7d7ef41d0b9da1caa3b) Arguments: /usr/sbin/sshd -D

systemd New Fork (PID: 4634, Parent: 1)

NetworkManager (PID: 4634, Parent: 1, MD5: 43dcb4efce9c2c522442ae62538bf659) Arguments: /usr/sbin/NetworkManager --no-daemon

systemd New Fork (PID: 4648, Parent: 1)

nm-online (PID: 4648, Parent: 1, MD5: ac72f7c256e548d273a5133a245a1638) Arguments: /usr/bin/nm-online -s -q --timeout=30

systemd New Fork (PID: 4661, Parent: 1)

nm-dispatcher (PID: 4661, Parent: 1, MD5: 7d4ef829ade49b564256f3f295f9c826) Arguments: /usr/lib/NetworkManager/nm-dispatcher

nm-dispatcher New Fork (PID: 4678, Parent: 4661)

01ifupdown (PID: 4678, Parent: 4661, MD5: 299819a8e64f00a1edbdfc99d05a8594) Arguments: /bin/sh -e /etc/NetworkManager/dispatcher.d/01ifupdown none hostname

systemd New Fork (PID: 4674, Parent: 1)

systemd-hostnamed (PID: 4674, Parent: 1, MD5: b05764f1a40963131ea2e1cd585f4139) Arguments: /lib/systemd/systemd-hostnamed

systemd New Fork (PID: 4699, Parent: 1)

snapd (PID: 4699, Parent: 1, MD5: 416402f94a949af355c09e8bccfa0eb0) Arguments: /usr/lib/snapd/snapd

systemd New Fork (PID: 4718, Parent: 1)

iscsiadm (PID: 4718, Parent: 1, MD5: b9363fe8099be776e324a481e209d7c4) Arguments: /sbin/iscsiadm -k 0 2

systemd New Fork (PID: 4742, Parent: 1)

sshd (PID: 4742, Parent: 1, MD5: 661b2a2da3b6c7d7ef41d0b9da1caa3b) Arguments: /usr/sbin/sshd -D

systemd New Fork (PID: 4794, Parent: 1)

systemd-hostnamed (PID: 4794, Parent: 1, MD5: b05764f1a40963131ea2e1cd585f4139) Arguments: /lib/systemd/systemd-hostnamed

systemd New Fork (PID: 4816, Parent: 1)

snapd (PID: 4816, Parent: 1, MD5: 416402f94a949af355c09e8bccfa0eb0) Arguments: /usr/lib/snapd/snapd

systemd New Fork (PID: 4837, Parent: 1)

sshd (PID: 4837, Parent: 1, MD5: 661b2a2da3b6c7d7ef41d0b9da1caa3b) Arguments: /usr/sbin/sshd -D

cleanup

Yara Overview

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Mirai_12	Yara detected Mirai	Joe Security

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: s54l0GKMh9	Virustotal: Detection: 34%			Perma Link
Source: s54l0GKMh9	ReversingLabs: Detection: 39%

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.97.173.69: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 109.239.134.147: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.117.198.127: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 78.94.73.210: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 96.87.80.167: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 109.193.54.146: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.57.194.76: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.175.40.225: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.65.146.78: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.128.125.240: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.7.72.164: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.77.64.1: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.0.88.236: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 50.220.200.185: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 196.203.188.37:23 -> 192.168.2.20:56342
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.100.1.71: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 151.81.134.100: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.126.109: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 196.203.188.37:23 -> 192.168.2.20:56352
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 68.187.254.176: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 196.203.188.37:23 -> 192.168.2.20:56364
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.252.195.84: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.139.128.1: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 156.226.116.47: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 193.83.36.251: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.203.64.67: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 46.93.108.4: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.245.230.11: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 46.223.136.125: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.160.159.108: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 78.42.90.43: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 210.131.34.15: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 112.120.244.105: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 80.118.92.214: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.54.124.128: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 62.94.223.244: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 83.68.20.128: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.228.136.2: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.192.74.112: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 178.159.243.115: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.211.32.232: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.6.100.149: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 185.251.46.189: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 153.153.224.90: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.110.92.134: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 37.209.118.120: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 95.90.167.134: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 133.242.50.126: -> 192.168.2.20:
Source: Traffic	Snort IDS: 404 ICMP Destination Unreachable Protocol Unreachable 81.191.234.151: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 168.206.86.57: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 203.66.251.1: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.161.101: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 83.209.73.145: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.201.149.82: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.35.117.39: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 146.212.169.207: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.64.108.192: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 164.68.232.22: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.193.0.80: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 108.167.73.59: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 218.60.102.156: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 185.54.120.139: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.198.147.179: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.72.75.59: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 2.202.116.68: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.168.204.122: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56104
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.94.5.25: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 4.59.184.10: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.234.184.23: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.56.30.148: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.125.52.126:23 -> 192.168.2.20:38326
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.125.52.126:23 -> 192.168.2.20:38326
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 115.255.239.37: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 81.221.214.38: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 80.157.128.213: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56114
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 37.201.220.22: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.159.227.35: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 45.201.245.80: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 210.211.102.99: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 83.163.43.140: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 82.58.53.174: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 85.199.98.128: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.2.108.14: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 2.47.208.246:23 -> 192.168.2.20:36318
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 2.47.208.246:23 -> 192.168.2.20:36318
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.229.187.147: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.96.180.205: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 160.20.156.111: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56144
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 175.29.130.127: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 72.48.120.12: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 12.37.173.49:23 -> 192.168.2.20:51128
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.73.24.156: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.66.124.168: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 98.220.208.122: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 156.236.13.23: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 166.63.204.162: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.239.13.208: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.125.52.126:23 -> 192.168.2.20:38346
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.125.52.126:23 -> 192.168.2.20:38346
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 47.94.171.178: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 114.32.242.146:23 -> 192.168.2.20:39884
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 114.32.242.146:23 -> 192.168.2.20:39884
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.82.47.8: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 80.245.118.35: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 218.92.148.101: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.199.215.140: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56220
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 83.162.167.222: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 62.156.58.101: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 89.0.242.195: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.210.199.196: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.247.152.253: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.56.77.9: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.68.172.73: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 166.88.56.157: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2023439 ET TROJAN Possible Linux.Mirai Login Attempt (hi3518) 192.168.2.20:54014 -> 14.162.147.40:23
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.193.93.128: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 195.46.172.182: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 172.87.22.139: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56242
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.76.111.164: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.125.52.126:23 -> 192.168.2.20:38456
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.125.52.126:23 -> 192.168.2.20:38456
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 172.17.174.166: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.11.158.141: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 95.112.255.135: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 80.134.37.225: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.76.62.143: -> 192.168.2.20:
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 123.175.97.232:23 -> 192.168.2.20:41234
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.215.61.94: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 185.246.38.135: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 104.252.55.124: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.212.34.113: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 114.32.242.146:23 -> 192.168.2.20:39990
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 114.32.242.146:23 -> 192.168.2.20:39990
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 103.192.163.206: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 2.202.78.253: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.78.200.215: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 116.50.33.33: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.0.229.180: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 185.182.10.224: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56260
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 210.59.11.34: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.227.246.220: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 71.15.46.22: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 220.227.241.118:23 -> 192.168.2.20:40212
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.248.88.123: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.96.212.231: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 133.242.233.145: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.125.52.126:23 -> 192.168.2.20:38486
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.125.52.126:23 -> 192.168.2.20:38486
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.213.252.154: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.183.58.149: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.194.123.97: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.123.69.197: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 46.88.159.18: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 83.68.94.254: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 150.95.105.189: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56288
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 213.133.70.4: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.77.210.222: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.96.81.255: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 172.89.46.66: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 70.95.189.49: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2023433 ET TROJAN Possible Linux.Mirai Login Attempt (7ujMko0admin) 192.168.2.20:54082 -> 14.162.147.40:23
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 45.94.164.101: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 2.47.208.246:23 -> 192.168.2.20:36512
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 2.47.208.246:23 -> 192.168.2.20:36512
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.74.179.121: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.65.159.173: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.203.129.146: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.8.26.243: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.251.129.177: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 114.32.242.146:23 -> 192.168.2.20:40042
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 114.32.242.146:23 -> 192.168.2.20:40042
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.97.114.74: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.102.144.196: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56334
Source: Traffic	Snort IDS: 716 INFO TELNET access 12.37.173.49:23 -> 192.168.2.20:51294
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.232.126.54: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.251.58.2: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.21.139.109: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.81.101.114: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.96.169.25: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 109.250.31.165: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 24.238.21.5: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 172.90.235.202: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.125.52.126:23 -> 192.168.2.20:38570
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.125.52.126:23 -> 192.168.2.20:38570
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 78.35.212.27: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.153.79.173: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52746
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 109.193.11.172: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 14.141.145.134: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 193.227.121.117: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56410
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.162.95.10: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 81.10.145.228: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52762
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.65.29.201: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.78.103.91: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 83.14.129.151: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 154.208.31.167: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.170.213: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2023434 ET TROJAN Possible Linux.Mirai Login Attempt (7ujMko0vizxv) 192.168.2.20:54202 -> 14.162.147.40:23
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.225.213.94: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.17.32.41: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 162.0.220.98: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52776
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.239.216.227: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 80.110.146.25: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.181.68.181: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 109.106.12.235: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 64.255.137.222: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 216.155.16.187: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 114.32.242.146:23 -> 192.168.2.20:40166
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 114.32.242.146:23 -> 192.168.2.20:40166
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.210.200.189: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52800
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.5.250.108: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 196.202.145.94: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56462
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.242.139.198: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.125.52.126:23 -> 192.168.2.20:38660
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.125.52.126:23 -> 192.168.2.20:38660
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.108.245: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52824
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 77.159.171.165: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.49.58.212: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.212.27.88: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 194.116.33.34: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 205.174.22.7: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 4.14.14.222: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 5.100.20.96: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.236.34.108: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.151.155.125: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.227.183.200: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52882
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 182.248.109.222: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 156.226.75.198: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52896
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.44.116.205: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.196.50.200: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 155.4.209.217:23 -> 192.168.2.20:36442
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.5.108.144: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.174.17.65: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.6.231.170: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52908
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.41.125.188: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.225.55.191: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 74.75.84.129: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52918
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 59.128.115.201: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.125.52.126:23 -> 192.168.2.20:38782
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.125.52.126:23 -> 192.168.2.20:38782
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 85.212.55.180: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.214.131.170: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.228.46.62: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 24.115.187.248: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 114.32.242.146:23 -> 192.168.2.20:40300
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 114.32.242.146:23 -> 192.168.2.20:40300
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.134.16.23: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52934
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 154.93.50.80: -> 192.168.2.20:

Opens /sys/class/net/* files useful for querying network interface information

Show sources

Source: /usr/sbin/NetworkManager (PID: 4634)	Opens: /sys/class/net/ens160/uevent
Source: /usr/sbin/NetworkManager (PID: 4634)	Opens: /sys/class/net/
Source: /usr/sbin/NetworkManager (PID: 4634)	Opens: /sys/class/net/
Source: /usr/sbin/NetworkManager (PID: 4634)	Opens: /sys/class/net/ens160/phys_port_id
Source: /usr/sbin/NetworkManager (PID: 4634)	Opens: /sys/class/net/ens160/dev_id
Source: /usr/sbin/NetworkManager (PID: 4634)	Opens: /sys/class/net/lo/phys_port_id
Source: /usr/sbin/NetworkManager (PID: 4634)	Opens: /sys/class/net/lo/dev_id

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44096
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44100
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44102
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44106
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44116
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44122
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44128
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44140
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44156
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44158
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41462
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41466
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41470
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41482
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41486
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41492
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41506
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41520
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41534
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41560

Source: global traffic

TCP traffic: 192.168.2.20:35686 -> 37.230.137.227:1312

Source: /tmp/s54l0GKMh9 (PID: 4606)	Socket: 0.0.0.0::0
Source: /tmp/s54l0GKMh9 (PID: 4606)	Socket: 0.0.0.0::23
Source: /tmp/s54l0GKMh9 (PID: 4606)	Socket: 0.0.0.0::53413
Source: /tmp/s54l0GKMh9 (PID: 4606)	Socket: 0.0.0.0::80
Source: /tmp/s54l0GKMh9 (PID: 4606)	Socket: 0.0.0.0::52869
Source: /tmp/s54l0GKMh9 (PID: 4606)	Socket: 0.0.0.0::37215
Source: /tmp/s54l0GKMh9 (PID: 4611)	Socket: 0.0.0.0::0
Source: /tmp/s54l0GKMh9 (PID: 4611)	Socket: 0.0.0.0::23
Source: /tmp/s54l0GKMh9 (PID: 4611)	Socket: 0.0.0.0::53413
Source: /tmp/s54l0GKMh9 (PID: 4611)	Socket: 0.0.0.0::80
Source: /tmp/s54l0GKMh9 (PID: 4611)	Socket: 0.0.0.0::52869
Source: /tmp/s54l0GKMh9 (PID: 4611)	Socket: 0.0.0.0::37215
Source: /usr/sbin/sshd (PID: 4619)	Socket: 0.0.0.0::22
Source: /usr/sbin/sshd (PID: 4619)	Socket: [::]::22
Source: /usr/sbin/sshd (PID: 4742)	Socket: 0.0.0.0::22
Source: /usr/sbin/sshd (PID: 4742)	Socket: [::]::22
Source: /usr/sbin/sshd (PID: 4837)	Socket: 0.0.0.0::22
Source: /usr/sbin/sshd (PID: 4837)	Socket: [::]::22

Source: unknown	TCP traffic detected without corresponding DNS query: 37.230.137.227
Source: unknown	TCP traffic detected without corresponding DNS query: 94.11.183.235
Source: unknown	TCP traffic detected without corresponding DNS query: 43.228.186.183
Source: unknown	TCP traffic detected without corresponding DNS query: 101.245.81.171
Source: unknown	TCP traffic detected without corresponding DNS query: 192.100.29.235
Source: unknown	TCP traffic detected without corresponding DNS query: 35.81.236.243
Source: unknown	TCP traffic detected without corresponding DNS query: 95.31.193.172
Source: unknown	TCP traffic detected without corresponding DNS query: 31.161.65.250
Source: unknown	TCP traffic detected without corresponding DNS query: 2.188.133.72
Source: unknown	TCP traffic detected without corresponding DNS query: 42.215.143.223
Source: unknown	TCP traffic detected without corresponding DNS query: 81.104.99.249
Source: unknown	TCP traffic detected without corresponding DNS query: 47.254.224.25
Source: unknown	TCP traffic detected without corresponding DNS query: 212.112.29.45
Source: unknown	TCP traffic detected without corresponding DNS query: 141.134.239.140
Source: unknown	TCP traffic detected without corresponding DNS query: 118.134.211.41
Source: unknown	TCP traffic detected without corresponding DNS query: 164.172.172.193
Source: unknown	TCP traffic detected without corresponding DNS query: 161.170.8.82
Source: unknown	TCP traffic detected without corresponding DNS query: 142.107.119.49
Source: unknown	TCP traffic detected without corresponding DNS query: 19.44.138.129
Source: unknown	TCP traffic detected without corresponding DNS query: 151.57.1.66
Source: unknown	TCP traffic detected without corresponding DNS query: 74.24.122.189
Source: unknown	TCP traffic detected without corresponding DNS query: 221.0.37.191
Source: unknown	TCP traffic detected without corresponding DNS query: 193.145.245.157
Source: unknown	TCP traffic detected without corresponding DNS query: 159.216.86.202
Source: unknown	TCP traffic detected without corresponding DNS query: 169.95.182.113
Source: unknown	TCP traffic detected without corresponding DNS query: 98.168.21.251
Source: unknown	TCP traffic detected without corresponding DNS query: 203.103.124.207
Source: unknown	TCP traffic detected without corresponding DNS query: 178.18.221.8
Source: unknown	TCP traffic detected without corresponding DNS query: 126.252.109.132
Source: unknown	TCP traffic detected without corresponding DNS query: 1.84.180.138
Source: unknown	TCP traffic detected without corresponding DNS query: 91.232.79.124
Source: unknown	TCP traffic detected without corresponding DNS query: 178.118.235.5
Source: unknown	TCP traffic detected without corresponding DNS query: 203.159.124.52
Source: unknown	TCP traffic detected without corresponding DNS query: 179.254.87.123
Source: unknown	TCP traffic detected without corresponding DNS query: 106.154.192.213
Source: unknown	TCP traffic detected without corresponding DNS query: 45.183.83.195
Source: unknown	TCP traffic detected without corresponding DNS query: 98.97.137.140
Source: unknown	TCP traffic detected without corresponding DNS query: 252.19.172.233
Source: unknown	TCP traffic detected without corresponding DNS query: 203.188.181.148
Source: unknown	TCP traffic detected without corresponding DNS query: 13.211.246.7
Source: unknown	TCP traffic detected without corresponding DNS query: 162.140.123.190
Source: unknown	TCP traffic detected without corresponding DNS query: 16.60.67.57
Source: unknown	TCP traffic detected without corresponding DNS query: 240.157.238.207
Source: unknown	TCP traffic detected without corresponding DNS query: 166.188.169.2
Source: unknown	TCP traffic detected without corresponding DNS query: 182.18.85.29
Source: unknown	TCP traffic detected without corresponding DNS query: 114.34.19.155
Source: unknown	TCP traffic detected without corresponding DNS query: 246.180.130.239
Source: unknown	TCP traffic detected without corresponding DNS query: 217.53.192.25
Source: unknown	TCP traffic detected without corresponding DNS query: 252.224.142.166
Source: unknown	TCP traffic detected without corresponding DNS query: 38.159.94.88

Source: s54l0GKMh9

String found in binary or memory: http://upx.sf.net

System Summary:

Sample tries to kill many processes (SIGKILL)

Show sources

Source: /tmp/s54l0GKMh9 (PID: 4606)	SIGKILL sent: pid: 1339, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 4606, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 1059, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 1065, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 1091, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 1362, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 1363, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3289, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3308, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3484, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3491, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3496, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3501, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3596, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3601, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3606, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3611, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3616, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3790, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3791, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 4614, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 4619, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 4634, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 4699, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 4742, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 4611, result: successful

Source: LOAD without section mappings

Program segment: 0x100000

Source: /tmp/s54l0GKMh9 (PID: 4606)	SIGKILL sent: pid: 1339, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 4606, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 1059, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 1065, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 1091, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 1362, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 1363, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3289, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3308, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3484, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3491, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3496, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3501, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3596, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3601, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3606, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3611, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3616, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3790, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 3791, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 4614, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 4619, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 4634, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 4699, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 4742, result: successful
Source: /tmp/s54l0GKMh9 (PID: 4611)	SIGKILL sent: pid: 4611, result: successful

Source: classification engine

Classification label: mal80.spre.troj.spyw.evad.lin@0/8@0/0

Data Obfuscation:

Sample is packed with UPX

Show sources

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Source: /usr/sbin/NetworkManager (PID: 4634)

Directory: /root/.cache

Jump to behavior

Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1091/fd
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1065/fd
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1062/fd
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1084/fd
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1095/fd
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1072/fd
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1060/fd
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/550/fd
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1/fd
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/496/fd
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1017/fd
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1059/fd
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1024/fd
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1145/fd
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/535/fd
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1078/fd
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1155/fd
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1119/fd
Source: /tmp/s54l0GKMh9 (PID: 4606)	File opened: /proc/1339/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1065/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1065/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1065/exe
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3485/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3485/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3485/exe
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3485/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3485/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3484/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3484/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3484/exe
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1062/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1062/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1062/exe
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1062/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1062/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3482/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3482/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3482/exe
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3482/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3482/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3481/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3481/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3481/exe
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3481/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3481/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1060/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1060/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1060/exe
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1060/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1060/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/4606/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/4606/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/4608/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/4608/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/4608/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1059/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1059/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1059/exe
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3479/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3479/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3479/exe
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3479/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3479/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3512/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3512/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3512/exe
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3512/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3512/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3477/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3477/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3477/exe
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3477/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3477/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1452/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1452/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1452/exe
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1452/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1452/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/514/exe
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3632/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3632/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3632/exe
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3632/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3632/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/519/exe
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3518/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3518/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3518/exe
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3518/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3518/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3497/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3497/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3497/exe
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3497/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3497/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3133/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3133/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3133/exe
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3133/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3133/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3496/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3496/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/3496/exe
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1072/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1072/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1072/exe
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1072/fd
Source: /tmp/s54l0GKMh9 (PID: 4611)	File opened: /proc/1072/fd

Source: /usr/lib/snapd/snapd (PID: 4699)	Reads from proc file: /proc/sys/net/core/somaxconn	Jump to behavior
Source: /usr/lib/snapd/snapd (PID: 4699)	Reads from proc file: /proc/sys/kernel/hostname	Jump to behavior
Source: /usr/lib/snapd/snapd (PID: 4816)	Reads from proc file: /proc/sys/net/core/somaxconn	Jump to behavior
Source: /usr/lib/snapd/snapd (PID: 4816)	Reads from proc file: /proc/sys/kernel/hostname	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44096
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44100
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44102
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44106
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44116
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44122
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44128
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44140
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44156
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44158
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41462
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41466
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41470
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41482
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41486
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41492
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41506
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41520
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41534
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41560

Source: /tmp/s54l0GKMh9 (PID: 4589)	Queries kernel information via 'uname':
Source: /usr/sbin/NetworkManager (PID: 4634)	Queries kernel information via 'uname':
Source: /lib/systemd/systemd-hostnamed (PID: 4674)	Queries kernel information via 'uname':
Source: /usr/lib/snapd/snapd (PID: 4699)	Queries kernel information via 'uname':
Source: /lib/systemd/systemd-hostnamed (PID: 4794)	Queries kernel information via 'uname':
Source: /usr/lib/snapd/snapd (PID: 4816)	Queries kernel information via 'uname':

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Hidden Files and Directories1	OS Credential Dumping1	Security Software Discovery1	Remote Services	Network Information Discovery1	Exfiltration Over Other Network Medium	Non-Standard Port11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Obfuscated Files or Information1	LSASS Memory	System Information Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
s54l0GKMh9	34%	Virustotal		Browse
s54l0GKMh9	39%	ReversingLabs	Linux.Trojan.Mirai

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	s54l0GKMh9	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
106.114.147.23	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
96.203.126.160	unknown	United States	7922	COMCAST-7922US	false
203.210.130.208	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
242.51.200.14	unknown	Reserved	unknown	unknown	false
69.79.2.213	unknown	United States	23520	COLUMBUS-NETWORKSUS	false
89.133.164.83	unknown	Hungary	6830	LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding	false
47.38.71.139	unknown	United States	20115	CHARTER-20115US	false
218.39.74.160	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
223.37.188.117	unknown	Korea Republic of	9644	SKTELECOM-NET-ASSKTelecomKR	false
195.15.200.99	unknown	Switzerland	12350	VTX-NETWORKCH	false
59.89.254.145	unknown	India	9829	BSNL-NIBNationalInternetBackboneIN	false
44.43.86.40	unknown	United States	7377	UCSDUS	false
94.20.234.131	unknown	Azerbaijan	199731	NAKHINTERNET-ISPAZ	false
160.79.21.199	unknown	United States	24867	ADAPT-ASGB	false
99.250.223.76	unknown	Canada	812	ROGERS-COMMUNICATIONSCA	false
109.124.248.94	unknown	Russian Federation	35032	TAHIONISP-ASRU	false
139.240.73.123	unknown	United States	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
90.54.152.98	unknown	France	3215	FranceTelecom-OrangeFR	false
252.134.181.234	unknown	Reserved	unknown	unknown	false
203.66.61.49	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
168.236.44.110	unknown	United States	3136	STATE-OF-WISCONSIN-AS1US	false
200.209.218.229	unknown	Brazil	4230	CLAROSABR	false
151.50.163.103	unknown	Italy	1267	ASN-WINDTREIUNETEU	false
42.50.47.134	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
252.47.186.21	unknown	Reserved	unknown	unknown	false
102.200.137.34	unknown	unknown	36926	CKL1-ASNKE	false
216.116.80.116	unknown	United States	14010	JACKHENRYUS	false
189.215.130.159	unknown	Mexico	28538	CablemasTelecomunicacionesSAdeCVMX	false
152.136.225.31	unknown	China	45090	CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa	false
198.209.55.33	unknown	United States	26934	UNIVERSITY-OF-MISSOURI---COLUMBIAUS	false
60.237.160.8	unknown	Japan	2518	BIGLOBEBIGLOBEIncJP	false
193.169.96.22	unknown	Russian Federation	49510	TCV-ASCZ	false
24.131.135.95	unknown	United States	7922	COMCAST-7922US	false
153.144.115.36	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
23.190.64.85	unknown	United States	394256	CLOUDSINGULARITYCA	false
167.4.234.142	unknown	United States	51964	ORANGE-BUSINESS-SERVICES-IPSN-ASNFR	false
103.120.250.186	unknown	India	17665	IN2CABLE-APASNumberofIndusindMediaandcommunicationLt	false
160.248.62.37	unknown	Japan	2514	INFOSPHERENTTPCCommunicationsIncJP	false
5.51.2.160	unknown	France	5410	BOUYGTEL-ISPFR	false
125.160.53.234	unknown	Indonesia	7713	TELKOMNET-AS-APPTTelekomunikasiIndonesiaID	false
142.247.130.1	unknown	Saudi Arabia	25019	SAUDINETSTC-ASSA	false
109.248.108.198	unknown	Russian Federation	28917	FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics	false
250.106.144.35	unknown	Reserved	unknown	unknown	false
114.69.243.154	unknown	India	18002	WORLDPHONE-INASNumberforInterdomainRoutingIN	false
163.189.225.254	unknown	Australia	55542	RMSNET-AS-APRoadsandMaritimeServicesAU	false
196.215.73.129	unknown	South Africa	3741	ISZA	false
98.101.210.191	unknown	United States	11426	TWC-11426-CAROLINASUS	false
66.66.21.33	unknown	United States	11351	TWC-11351-NORTHEASTUS	false
250.76.10.0	unknown	Reserved	unknown	unknown	false
147.116.206.235	unknown	United States	766	REDIRISRedIRISAutonomousSystemES	false
188.83.167.211	unknown	Portugal	3243	MEO-RESIDENCIALPT	false
107.248.194.130	unknown	United States	7018	ATT-INTERNET4US	false
35.23.30.138	unknown	United States	36375	UMICH-AS-5US	false
97.146.192.157	unknown	United States	6167	CELLCO-PARTUS	false
155.41.128.74	unknown	United States	111	BOSTONU-ASUS	false
32.192.89.13	unknown	United States	2686	ATGS-MMD-ASUS	false
17.41.75.245	unknown	United States	714	APPLE-ENGINEERINGUS	false
185.205.152.125	unknown	Poland	205706	LEGMANPL	false
157.37.76.71	unknown	India	55836	RELIANCEJIO-INRelianceJioInfocommLimitedIN	false
197.100.167.157	unknown	South Africa	3741	ISZA	false
160.232.244.58	unknown	United States	11259	ANGOLATELECOMAO	false
152.150.46.109	unknown	United Kingdom	10455	LUCENT-CIOUS	false
188.211.223.60	unknown	Iran (ISLAMIC Republic Of)	58224	TCIIR	false
195.97.85.116	unknown	Greece	3329	HOL-GRAthensGreeceGR	false
200.130.28.164	unknown	Brazil	1916	AssociacaoRedeNacionaldeEnsinoePesquisaBR	false
115.76.248.177	unknown	Viet Nam	7552	VIETEL-AS-APViettelGroupVN	false
217.215.135.185	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	false
161.25.164.196	unknown	Chile	1916	AssociacaoRedeNacionaldeEnsinoePesquisaBR	false
223.28.184.116	unknown	Korea Republic of	17597	SAEROMNET-AS-KRTBROADSaeromNamdongSeohaebroadcastingKR	false
12.243.182.108	unknown	United States	7018	ATT-INTERNET4US	false
175.114.50.218	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
38.95.43.246	unknown	United States	174	COGENT-174US	false
121.165.152.132	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
180.244.198.4	unknown	Indonesia	7713	TELKOMNET-AS-APPTTelekomunikasiIndonesiaID	false
176.104.41.175	unknown	Ukraine	41435	UNDERNET-AS1UA	false
101.184.26.83	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	false
211.40.186.144	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	false
16.108.127.103	unknown	United States	unknown	unknown	false
32.35.17.51	unknown	United States	2686	ATGS-MMD-ASUS	false
121.33.183.226	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
183.105.180.39	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
95.240.28.160	unknown	Italy	3269	ASN-IBSNAZIT	false
249.108.201.111	unknown	Reserved	unknown	unknown	false
37.35.120.99	unknown	Switzerland	15600	FINECOMQuicklineAGCH	false
16.111.181.7	unknown	United States	unknown	unknown	false
106.199.18.119	unknown	India	45609	BHARTI-MOBILITY-AS-APBhartiAirtelLtdASforGPRSService	false
245.129.132.24	unknown	Reserved	unknown	unknown	false
126.208.173.196	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
85.164.4.5	unknown	Norway	2119	TELENOR-NEXTELTelenorNorgeASNO	false
62.122.50.178	unknown	Russian Federation	47530	NVTC-ASRU	false
196.253.231.70	unknown	South Africa	8094	PUKNETZA	false
92.242.80.177	unknown	Russian Federation	8371	VIMPELCOM-NNVimpelcomNizhniyNovgorodbranchfixednetwo	false
211.118.236.136	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	false
1.58.95.38	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
124.13.77.47	unknown	Malaysia	4788	TMNET-AS-APTMNetInternetServiceProviderMY	false
218.223.148.221	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
211.188.255.117	unknown	Korea Republic of	9644	SKTELECOM-NET-ASSKTelecomKR	false
89.252.43.211	unknown	Ukraine	31148	FREENET_LLCUA	false
102.154.176.208	unknown	Tunisia	5438	ATI-TN	false
147.215.163.231	unknown	France	2439	FR-REMUSMANofthePolytechnicumEU	false

Runtime Messages

Command:	/tmp/s54l0GKMh9
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	Connected To CNC
Standard Error:

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
VNPT-AS-VNVNPTCorpVN	A7X93JRxhp	Get hash	malicious	Browse	113.166.97.119
	XuQRPW44hi	Get hash	malicious	Browse	123.18.19.86
	CefN2XNyFi	Get hash	malicious	Browse	14.170.32.127
	1dqNLZONFY	Get hash	malicious	Browse	113.173.201.220
	7OAzOUL9cd	Get hash	malicious	Browse	123.29.161.171
	iUmNR6tkEd	Get hash	malicious	Browse	14.234.227.130
	SvmxfeZM5Z	Get hash	malicious	Browse	14.165.136.70
	ehn0f1d63M	Get hash	malicious	Browse	14.227.0.49
	qgQgEjI283	Get hash	malicious	Browse	14.163.209.143
	pV4uIDCdSN	Get hash	malicious	Browse	123.30.106.181
	zhPAQB7FPV	Get hash	malicious	Browse	14.167.4.190
	SQCRu7Fwjk	Get hash	malicious	Browse	14.178.200.75
	Dvf7OP92yJ	Get hash	malicious	Browse	14.188.254.245
	Ebl8uJRI5t	Get hash	malicious	Browse	14.253.31.190
	XBu8Vn3bIM	Get hash	malicious	Browse	113.175.131.153
	Md3k7pepaq	Get hash	malicious	Browse	14.250.168.229
	a1sMR3Vj8o	Get hash	malicious	Browse	14.172.186.10
	8wzyljMmmn	Get hash	malicious	Browse	14.179.21.192
	lq2609LxT8	Get hash	malicious	Browse	113.166.84.52
	Rl9KiguX35	Get hash	malicious	Browse	113.175.218.219
CHINANET-BACKBONENo31Jin-rongStreetCN	z0FwvGSnDF	Get hash	malicious	Browse	218.3.209.122
	D1dU3jQ1II	Get hash	malicious	Browse	124.175.64.107
	sDwNKSpuhB	Get hash	malicious	Browse	222.214.85.14
	A7X93JRxhp	Get hash	malicious	Browse	14.121.14.117
	8ZJ0cPowTy	Get hash	malicious	Browse	117.67.60.6
	92CRMNlBq8	Get hash	malicious	Browse	113.122.55.88
	XuQRPW44hi	Get hash	malicious	Browse	120.41.157.122
	Taf5zLti30	Get hash	malicious	Browse	14.113.198.126
	5qpsqg7U0G	Get hash	malicious	Browse	106.236.30.71
	LyxN1ckWTW	Get hash	malicious	Browse	182.137.82.39
	U1R7Ed7940	Get hash	malicious	Browse	122.7.204.153
	GEso3CniSk	Get hash	malicious	Browse	121.238.137.180
	BTNNG17tlh	Get hash	malicious	Browse	222.177.200.161
	VGi1EK6T17	Get hash	malicious	Browse	27.25.204.97
	apep.mips	Get hash	malicious	Browse	222.80.71.247
	U4r9W64doy	Get hash	malicious	Browse	183.20.87.42
	C4PozjQdGE	Get hash	malicious	Browse	117.44.124.210
	kb5IbEJU8c	Get hash	malicious	Browse	222.87.131.215
	CefN2XNyFi	Get hash	malicious	Browse	116.54.173.39
	1dqNLZONFY	Get hash	malicious	Browse	180.140.66.174
COMCAST-7922US	D1dU3jQ1II	Get hash	malicious	Browse	73.221.68.185
	sDwNKSpuhB	Get hash	malicious	Browse	66.31.123.8
	A7X93JRxhp	Get hash	malicious	Browse	174.160.234.12
	92CRMNlBq8	Get hash	malicious	Browse	96.129.115.21
	XuQRPW44hi	Get hash	malicious	Browse	96.75.11.28
	Taf5zLti30	Get hash	malicious	Browse	73.105.22.60
	5qpsqg7U0G	Get hash	malicious	Browse	50.150.213.54
	LyxN1ckWTW	Get hash	malicious	Browse	73.76.173.103
	VGi1EK6T17	Get hash	malicious	Browse	96.193.32.170
	U4r9W64doy	Get hash	malicious	Browse	76.142.58.170
	C4PozjQdGE	Get hash	malicious	Browse	74.30.218.252
	CefN2XNyFi	Get hash	malicious	Browse	96.191.119.186
	7OAzOUL9cd	Get hash	malicious	Browse	67.184.88.190
	MD5OxTSc6i	Get hash	malicious	Browse	24.128.44.113
	Qka3fi8NpL	Get hash	malicious	Browse	74.156.139.185
	Xr3hmBQcmw	Get hash	malicious	Browse	96.80.132.77
	xjYvqOne1t	Get hash	malicious	Browse	73.136.89.242
	SUpODCSauS	Get hash	malicious	Browse	71.197.70.248
	sora.arm7	Get hash	malicious	Browse	98.245.173.86
	iUmNR6tkEd	Get hash	malicious	Browse	174.50.238.120

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

/proc/4619/oom_score_adj Download File
Process:	/usr/sbin/sshd
File Type:	ASCII text
Category:	dropped
Size (bytes):	6
Entropy (8bit):	1.7924812503605778
Encrypted:	false
SSDEEP:	3:ptn:Dn
MD5:	CBF282CC55ED0792C33D10003D1F760A
SHA1:	007DD8BD75468E6B7ABA4285E9B267202C7EAEED
SHA-256:	FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
SHA-512:	4643A8675D213C7DA35CC0C2BFB3B6F20324F9C48AEA7BA79F470615698C9A0CEFDA45CAA1957FC29110EE746BC8458AB8AB1E43EB513912A5E1E8858812CC00
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	-1000.

/proc/4742/oom_score_adj Download File
Process:	/usr/sbin/sshd
File Type:	ASCII text
Category:	dropped
Size (bytes):	6
Entropy (8bit):	1.7924812503605778
Encrypted:	false
SSDEEP:	3:ptn:Dn
MD5:	CBF282CC55ED0792C33D10003D1F760A
SHA1:	007DD8BD75468E6B7ABA4285E9B267202C7EAEED
SHA-256:	FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
SHA-512:	4643A8675D213C7DA35CC0C2BFB3B6F20324F9C48AEA7BA79F470615698C9A0CEFDA45CAA1957FC29110EE746BC8458AB8AB1E43EB513912A5E1E8858812CC00
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	-1000.

/proc/4837/oom_score_adj Download File
Process:	/usr/sbin/sshd
File Type:	ASCII text
Category:	dropped
Size (bytes):	6
Entropy (8bit):	1.7924812503605778
Encrypted:	false
SSDEEP:	3:ptn:Dn
MD5:	CBF282CC55ED0792C33D10003D1F760A
SHA1:	007DD8BD75468E6B7ABA4285E9B267202C7EAEED
SHA-256:	FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
SHA-512:	4643A8675D213C7DA35CC0C2BFB3B6F20324F9C48AEA7BA79F470615698C9A0CEFDA45CAA1957FC29110EE746BC8458AB8AB1E43EB513912A5E1E8858812CC00
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	-1000.

/run/sshd.pid Download File
Process:	/usr/sbin/sshd
File Type:	ASCII text
Category:	dropped
Size (bytes):	5
Entropy (8bit):	2.321928094887362
Encrypted:	false
SSDEEP:	3:hvn:5n
MD5:	5C68D6A05A8B8B31C96516DE3C3717C5
SHA1:	C9649ED14F0E4B92708AA8B5C5A38C74AABF41F5
SHA-256:	0BD44605189C73432176FE2D51B8262ECBB15FAA13E0F83EA7637DF1C08C9808
SHA-512:	A9A023FA861A16F66ED5835AB937A3EE4FAE88C5D557579F98BE46C555D3D3D216E25E5DBD3C0FE3FB44D8F4B9BB7C49E2B69729275C22E93E376AF343CF30E0
Malicious:	false
Reputation:	low
Preview:	4837.

/var/cache/snapd/sections.VkT7rk09P4mD Download File
Process:	/usr/lib/snapd/snapd
File Type:	ASCII text
Category:	dropped
Size (bytes):	257
Entropy (8bit):	4.149772078213831
Encrypted:	false
SSDEEP:	6:+JwAuG+uP2J5I9W6IzvS5/GAEwKnK/JBMlvuNjpeWPnXMISz:J02Jt6W8ce+Oj8WX6
MD5:	966FD91045792732666DBA4D113B0D48
SHA1:	9DCADCCCE036C48AEADCA9632A6E8EBADC69EE18
SHA-256:	244EB764054FECCD5D77FAD9273ECC7C1B427551FA153876C889C59D1959630D
SHA-512:	DEB94A2508E4B8A26073FC1F71E71EB19D877C890BFB93FBE4E700643FA82FF78135A146AB47EC702D6FB6D4A2FDDF5257BBF5B5E6992CAB81A15CA9B43D36BA
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	art-and-design.books-and-reference.development.devices-and-iot.education.entertainment.featured.finance.games.health-and-fitness.music-and-audio.news-and-weather.personalisation.photo-and-video.productivity.science.security.server-and-cloud.social.utilities

/var/cache/snapd/sections.g6T4kvDRndCj Download File
Process:	/usr/lib/snapd/snapd
File Type:	ASCII text
Category:	dropped
Size (bytes):	257
Entropy (8bit):	4.149772078213831
Encrypted:	false
SSDEEP:	6:+JwAuG+uP2J5I9W6IzvS5/GAEwKnK/JBMlvuNjpeWPnXMISz:J02Jt6W8ce+Oj8WX6
MD5:	966FD91045792732666DBA4D113B0D48
SHA1:	9DCADCCCE036C48AEADCA9632A6E8EBADC69EE18
SHA-256:	244EB764054FECCD5D77FAD9273ECC7C1B427551FA153876C889C59D1959630D
SHA-512:	DEB94A2508E4B8A26073FC1F71E71EB19D877C890BFB93FBE4E700643FA82FF78135A146AB47EC702D6FB6D4A2FDDF5257BBF5B5E6992CAB81A15CA9B43D36BA
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	art-and-design.books-and-reference.development.devices-and-iot.education.entertainment.featured.finance.games.health-and-fitness.music-and-audio.news-and-weather.personalisation.photo-and-video.productivity.science.security.server-and-cloud.social.utilities

Static File Info

General
File type:	ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy (8bit):	7.879503677327423
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	s54l0GKMh9
File size:	27236
MD5:	1a11fb2e59573ff9c8461a5998496ec4
SHA1:	0ac1b218948da361997a3dbf43859cedf732bc88
SHA256:	874f3a399fb4a6a3c99f86f6417c388b254e206f5bef96fb3b33bc38cac020dd
SHA512:	5d1f6f9c677f0d8c0602cf77d250eef6b2bcaf5b4e0ca02626adb0f0a4fad051c3ebbb101113d88e5d0cdbf6a3d807cbab17706beec43147c472c9c64095d2a9
SSDEEP:	768:w9CUFskb2JgIs/E2+OocrfJiHNjfmQ2q7IoqdB7fPWc:GCrJgHiOJrfwmQrctt
File Content Preview:	.ELF.....................V..4...........4. ...(.....................=i..=i....................E...E....................tUPX!`.......T...T.......T..........?.E.h;....#......b.L#4E..,,....M..D{c....j;.D .A....~.....hE.:.O........L..N.7g..\....R.............

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x105600
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	2
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Prog Interpreter	Section Mappings
LOAD	0x0	0x100000	0x100000	0x693d	0x693d	4.2019	0x5	R E	0x10000
LOAD	0x18c0	0x4518c0	0x4518c0	0x0	0x0	0.0000	0x6	RW	0x10000

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 22, 2021 11:09:00.197495937 CEST	35686	1312	192.168.2.20	37.230.137.227
Jul 22, 2021 11:09:00.199661970 CEST	50302	23	192.168.2.20	94.11.183.235
Jul 22, 2021 11:09:00.199754000 CEST	50302	23	192.168.2.20	43.228.186.183
Jul 22, 2021 11:09:00.199779034 CEST	50302	23	192.168.2.20	101.245.81.171
Jul 22, 2021 11:09:00.199805021 CEST	50302	23	192.168.2.20	192.100.29.235
Jul 22, 2021 11:09:00.199810028 CEST	50302	23	192.168.2.20	35.81.236.243
Jul 22, 2021 11:09:00.199820995 CEST	50302	23	192.168.2.20	95.31.193.172
Jul 22, 2021 11:09:00.199830055 CEST	50302	23	192.168.2.20	31.161.65.250
Jul 22, 2021 11:09:00.199850082 CEST	50302	23	192.168.2.20	2.188.133.72
Jul 22, 2021 11:09:00.199853897 CEST	50302	23	192.168.2.20	42.215.143.223
Jul 22, 2021 11:09:00.199857950 CEST	50302	23	192.168.2.20	81.104.99.249
Jul 22, 2021 11:09:00.199862957 CEST	50302	23	192.168.2.20	47.254.224.25
Jul 22, 2021 11:09:00.199867964 CEST	50302	23	192.168.2.20	212.112.29.45
Jul 22, 2021 11:09:00.199877977 CEST	50302	23	192.168.2.20	141.134.239.140
Jul 22, 2021 11:09:00.199884892 CEST	50302	23	192.168.2.20	118.134.211.41
Jul 22, 2021 11:09:00.199891090 CEST	50302	23	192.168.2.20	164.172.172.193
Jul 22, 2021 11:09:00.199892044 CEST	50302	23	192.168.2.20	161.170.8.82
Jul 22, 2021 11:09:00.199894905 CEST	50302	23	192.168.2.20	142.107.119.49
Jul 22, 2021 11:09:00.199908018 CEST	50302	23	192.168.2.20	19.44.138.129
Jul 22, 2021 11:09:00.199918032 CEST	50302	23	192.168.2.20	151.57.1.66
Jul 22, 2021 11:09:00.199920893 CEST	50302	23	192.168.2.20	74.24.122.189
Jul 22, 2021 11:09:00.199928045 CEST	50302	23	192.168.2.20	221.0.37.191
Jul 22, 2021 11:09:00.199925900 CEST	50302	23	192.168.2.20	193.145.245.157
Jul 22, 2021 11:09:00.199953079 CEST	50302	23	192.168.2.20	159.216.86.202
Jul 22, 2021 11:09:00.199956894 CEST	50302	23	192.168.2.20	169.95.182.113
Jul 22, 2021 11:09:00.199964046 CEST	50302	23	192.168.2.20	98.168.21.251
Jul 22, 2021 11:09:00.199975967 CEST	50302	23	192.168.2.20	203.103.124.207
Jul 22, 2021 11:09:00.199979067 CEST	50302	23	192.168.2.20	178.18.221.8
Jul 22, 2021 11:09:00.199981928 CEST	50302	23	192.168.2.20	126.252.109.132
Jul 22, 2021 11:09:00.199981928 CEST	50302	23	192.168.2.20	1.84.180.138
Jul 22, 2021 11:09:00.199991941 CEST	50302	23	192.168.2.20	91.232.79.124
Jul 22, 2021 11:09:00.200005054 CEST	50302	23	192.168.2.20	178.118.235.5
Jul 22, 2021 11:09:00.200014114 CEST	50302	23	192.168.2.20	203.159.124.52
Jul 22, 2021 11:09:00.200017929 CEST	50302	23	192.168.2.20	179.254.87.123
Jul 22, 2021 11:09:00.200021982 CEST	50302	23	192.168.2.20	210.32.218.187
Jul 22, 2021 11:09:00.200026035 CEST	50302	23	192.168.2.20	106.154.192.213
Jul 22, 2021 11:09:00.200046062 CEST	50302	23	192.168.2.20	45.183.83.195
Jul 22, 2021 11:09:00.200054884 CEST	50302	23	192.168.2.20	98.97.137.140
Jul 22, 2021 11:09:00.200067043 CEST	50302	23	192.168.2.20	121.88.10.206
Jul 22, 2021 11:09:00.200073004 CEST	50302	23	192.168.2.20	252.19.172.233
Jul 22, 2021 11:09:00.200073957 CEST	50302	23	192.168.2.20	203.188.181.148
Jul 22, 2021 11:09:00.200079918 CEST	50302	23	192.168.2.20	13.211.246.7
Jul 22, 2021 11:09:00.200093031 CEST	50302	23	192.168.2.20	162.140.123.190
Jul 22, 2021 11:09:00.200095892 CEST	50302	23	192.168.2.20	16.60.67.57
Jul 22, 2021 11:09:00.200105906 CEST	50302	23	192.168.2.20	240.157.238.207
Jul 22, 2021 11:09:00.200109959 CEST	50302	23	192.168.2.20	166.188.169.2
Jul 22, 2021 11:09:00.200113058 CEST	50302	23	192.168.2.20	182.18.85.29
Jul 22, 2021 11:09:00.200114012 CEST	50302	23	192.168.2.20	114.34.19.155
Jul 22, 2021 11:09:00.200114012 CEST	50302	23	192.168.2.20	246.180.130.239
Jul 22, 2021 11:09:00.200119972 CEST	50302	23	192.168.2.20	217.53.192.25
Jul 22, 2021 11:09:00.200124025 CEST	50302	23	192.168.2.20	252.224.142.166
Jul 22, 2021 11:09:00.200129986 CEST	50302	23	192.168.2.20	38.159.94.88
Jul 22, 2021 11:09:00.200130939 CEST	50302	23	192.168.2.20	180.81.128.91
Jul 22, 2021 11:09:00.200134039 CEST	50302	23	192.168.2.20	167.83.125.247
Jul 22, 2021 11:09:00.200139046 CEST	50302	23	192.168.2.20	186.171.214.77
Jul 22, 2021 11:09:00.200148106 CEST	50302	23	192.168.2.20	34.5.193.188
Jul 22, 2021 11:09:00.200153112 CEST	50302	23	192.168.2.20	14.225.127.241
Jul 22, 2021 11:09:00.200186968 CEST	50302	23	192.168.2.20	100.241.157.66
Jul 22, 2021 11:09:00.200191021 CEST	50302	23	192.168.2.20	202.203.96.201
Jul 22, 2021 11:09:00.200192928 CEST	50302	23	192.168.2.20	96.44.54.182
Jul 22, 2021 11:09:00.200195074 CEST	50302	23	192.168.2.20	126.235.6.189
Jul 22, 2021 11:09:00.200196981 CEST	50302	23	192.168.2.20	209.36.120.114
Jul 22, 2021 11:09:00.200222969 CEST	50302	23	192.168.2.20	169.125.30.209
Jul 22, 2021 11:09:00.200239897 CEST	50302	23	192.168.2.20	192.48.133.21
Jul 22, 2021 11:09:00.200244904 CEST	50302	23	192.168.2.20	210.42.33.105
Jul 22, 2021 11:09:00.200246096 CEST	50302	23	192.168.2.20	161.171.195.158
Jul 22, 2021 11:09:00.200248003 CEST	50302	23	192.168.2.20	123.0.2.213
Jul 22, 2021 11:09:00.200249910 CEST	50302	23	192.168.2.20	115.123.173.79
Jul 22, 2021 11:09:00.200256109 CEST	50302	23	192.168.2.20	104.237.250.130
Jul 22, 2021 11:09:00.200262070 CEST	50302	23	192.168.2.20	90.234.167.154
Jul 22, 2021 11:09:00.200262070 CEST	50302	23	192.168.2.20	247.239.171.138
Jul 22, 2021 11:09:00.200267076 CEST	50302	23	192.168.2.20	211.121.250.101
Jul 22, 2021 11:09:00.200272083 CEST	50302	23	192.168.2.20	18.132.197.157
Jul 22, 2021 11:09:00.200272083 CEST	50302	23	192.168.2.20	118.127.26.9
Jul 22, 2021 11:09:00.200278044 CEST	50302	23	192.168.2.20	160.208.227.166
Jul 22, 2021 11:09:00.200279951 CEST	50302	23	192.168.2.20	72.223.170.78
Jul 22, 2021 11:09:00.200283051 CEST	50302	23	192.168.2.20	66.65.198.45
Jul 22, 2021 11:09:00.200288057 CEST	50302	23	192.168.2.20	181.244.11.211
Jul 22, 2021 11:09:00.200290918 CEST	50302	23	192.168.2.20	19.157.22.0
Jul 22, 2021 11:09:00.200292110 CEST	50302	23	192.168.2.20	43.36.248.68
Jul 22, 2021 11:09:00.200295925 CEST	50302	23	192.168.2.20	42.102.1.52
Jul 22, 2021 11:09:00.200299978 CEST	50302	23	192.168.2.20	170.211.59.131
Jul 22, 2021 11:09:00.200308084 CEST	50302	23	192.168.2.20	186.121.85.12
Jul 22, 2021 11:09:00.200314045 CEST	50302	23	192.168.2.20	113.238.58.16
Jul 22, 2021 11:09:00.200316906 CEST	50302	23	192.168.2.20	240.97.56.209
Jul 22, 2021 11:09:00.200321913 CEST	50302	23	192.168.2.20	151.252.171.84
Jul 22, 2021 11:09:00.200333118 CEST	50302	23	192.168.2.20	102.80.41.177
Jul 22, 2021 11:09:00.200336933 CEST	50302	23	192.168.2.20	23.253.186.143
Jul 22, 2021 11:09:00.200339079 CEST	50302	23	192.168.2.20	98.49.81.48
Jul 22, 2021 11:09:00.200340033 CEST	50302	23	192.168.2.20	18.218.183.79
Jul 22, 2021 11:09:00.200346947 CEST	50302	23	192.168.2.20	95.218.114.115
Jul 22, 2021 11:09:00.200351000 CEST	50302	23	192.168.2.20	186.141.149.230
Jul 22, 2021 11:09:00.200354099 CEST	50302	23	192.168.2.20	174.183.89.112
Jul 22, 2021 11:09:00.200360060 CEST	50302	23	192.168.2.20	188.97.173.69
Jul 22, 2021 11:09:00.200361013 CEST	50302	23	192.168.2.20	255.102.137.22
Jul 22, 2021 11:09:00.200367928 CEST	50302	23	192.168.2.20	162.221.115.241
Jul 22, 2021 11:09:00.200372934 CEST	50302	23	192.168.2.20	184.1.231.52
Jul 22, 2021 11:09:00.200397968 CEST	50302	23	192.168.2.20	107.93.181.201
Jul 22, 2021 11:09:00.200408936 CEST	50302	23	192.168.2.20	41.196.63.175
Jul 22, 2021 11:09:00.200413942 CEST	50302	23	192.168.2.20	14.33.16.235

System Behavior

Analysis Process: s54l0GKMh9 PID: 4589 Parent PID: 4518

General

Start time:	11:08:59
Start date:	22/07/2021
Path:	/tmp/s54l0GKMh9
Arguments:	/usr/bin/qemu-mipsel /tmp/s54l0GKMh9
File size:	27236 bytes
MD5 hash:	1a11fb2e59573ff9c8461a5998496ec4

Analysis Process: s54l0GKMh9 PID: 4606 Parent PID: 4589

General

Start time:	11:08:59
Start date:	22/07/2021
Path:	/tmp/s54l0GKMh9
Arguments:	n/a
File size:	27236 bytes
MD5 hash:	1a11fb2e59573ff9c8461a5998496ec4

Analysis Process: s54l0GKMh9 PID: 4607 Parent PID: 4589

General

Start time:	11:08:59
Start date:	22/07/2021
Path:	/tmp/s54l0GKMh9
Arguments:	n/a
File size:	27236 bytes
MD5 hash:	1a11fb2e59573ff9c8461a5998496ec4

Analysis Process: s54l0GKMh9 PID: 4608 Parent PID: 4589

General

Start time:	11:08:59
Start date:	22/07/2021
Path:	/tmp/s54l0GKMh9
Arguments:	n/a
File size:	27236 bytes
MD5 hash:	1a11fb2e59573ff9c8461a5998496ec4

Analysis Process: s54l0GKMh9 PID: 4611 Parent PID: 4608

General

Start time:	11:08:59
Start date:	22/07/2021
Path:	/tmp/s54l0GKMh9
Arguments:	n/a
File size:	27236 bytes
MD5 hash:	1a11fb2e59573ff9c8461a5998496ec4

Analysis Process: s54l0GKMh9 PID: 4613 Parent PID: 4608

General

Start time:	11:08:59
Start date:	22/07/2021
Path:	/tmp/s54l0GKMh9
Arguments:	n/a
File size:	27236 bytes
MD5 hash:	1a11fb2e59573ff9c8461a5998496ec4

Analysis Process: s54l0GKMh9 PID: 4614 Parent PID: 4608

General

Start time:	11:08:59
Start date:	22/07/2021
Path:	/tmp/s54l0GKMh9
Arguments:	n/a
File size:	27236 bytes
MD5 hash:	1a11fb2e59573ff9c8461a5998496ec4

Analysis Process: systemd PID: 4619 Parent PID: 1

General

Start time:	11:09:05
Start date:	22/07/2021
Path:	/lib/systemd/systemd
Arguments:	n/a
File size:	0 bytes
MD5 hash:	00000000000000000000000000000000

Analysis Process: sshd PID: 4619 Parent PID: 1

General

Start time:	11:09:05
Start date:	22/07/2021
Path:	/usr/sbin/sshd
Arguments:	/usr/sbin/sshd -D
File size:	791024 bytes
MD5 hash:	661b2a2da3b6c7d7ef41d0b9da1caa3b

Analysis Process: systemd PID: 4634 Parent PID: 1

General

Start time:	11:09:29
Start date:	22/07/2021
Path:	/lib/systemd/systemd
Arguments:	n/a
File size:	0 bytes
MD5 hash:	00000000000000000000000000000000

Analysis Process: NetworkManager PID: 4634 Parent PID: 1

General

Start time:	11:09:29
Start date:	22/07/2021
Path:	/usr/sbin/NetworkManager
Arguments:	/usr/sbin/NetworkManager --no-daemon
File size:	2953816 bytes
MD5 hash:	43dcb4efce9c2c522442ae62538bf659

Analysis Process: systemd PID: 4648 Parent PID: 1

General

Start time:	11:09:30
Start date:	22/07/2021
Path:	/lib/systemd/systemd
Arguments:	n/a
File size:	0 bytes
MD5 hash:	00000000000000000000000000000000

Analysis Process: nm-online PID: 4648 Parent PID: 1

General

Start time:	11:09:30
Start date:	22/07/2021
Path:	/usr/bin/nm-online
Arguments:	/usr/bin/nm-online -s -q --timeout=30
File size:	14792 bytes
MD5 hash:	ac72f7c256e548d273a5133a245a1638

Analysis Process: systemd PID: 4661 Parent PID: 1

General

Start time:	11:09:30
Start date:	22/07/2021
Path:	/lib/systemd/systemd
Arguments:	n/a
File size:	0 bytes
MD5 hash:	00000000000000000000000000000000

Analysis Process: nm-dispatcher PID: 4661 Parent PID: 1

General

Start time:	11:09:30
Start date:	22/07/2021
Path:	/usr/lib/NetworkManager/nm-dispatcher
Arguments:	/usr/lib/NetworkManager/nm-dispatcher
File size:	48656 bytes
MD5 hash:	7d4ef829ade49b564256f3f295f9c826

Analysis Process: nm-dispatcher PID: 4678 Parent PID: 4661

General

Start time:	11:09:30
Start date:	22/07/2021
Path:	/usr/lib/NetworkManager/nm-dispatcher
Arguments:	n/a
File size:	48656 bytes
MD5 hash:	7d4ef829ade49b564256f3f295f9c826

Analysis Process: 01ifupdown PID: 4678 Parent PID: 4661

General

Start time:	11:09:30
Start date:	22/07/2021
Path:	/etc/NetworkManager/dispatcher.d/01ifupdown
Arguments:	/bin/sh -e /etc/NetworkManager/dispatcher.d/01ifupdown none hostname
File size:	2146 bytes
MD5 hash:	299819a8e64f00a1edbdfc99d05a8594

Analysis Process: systemd PID: 4674 Parent PID: 1

General

Start time:	11:09:30
Start date:	22/07/2021
Path:	/lib/systemd/systemd
Arguments:	n/a
File size:	0 bytes
MD5 hash:	00000000000000000000000000000000

Analysis Process: systemd-hostnamed PID: 4674 Parent PID: 1

General

Start time:	11:09:30
Start date:	22/07/2021
Path:	/lib/systemd/systemd-hostnamed
Arguments:	/lib/systemd/systemd-hostnamed
File size:	339152 bytes
MD5 hash:	b05764f1a40963131ea2e1cd585f4139

Analysis Process: systemd PID: 4699 Parent PID: 1

General

Start time:	11:09:33
Start date:	22/07/2021
Path:	/lib/systemd/systemd
Arguments:	n/a
File size:	0 bytes
MD5 hash:	00000000000000000000000000000000

Analysis Process: snapd PID: 4699 Parent PID: 1

General

Start time:	11:09:33
Start date:	22/07/2021
Path:	/usr/lib/snapd/snapd
Arguments:	/usr/lib/snapd/snapd
File size:	21178072 bytes
MD5 hash:	416402f94a949af355c09e8bccfa0eb0

Analysis Process: systemd PID: 4718 Parent PID: 1

General

Start time:	11:09:43
Start date:	22/07/2021
Path:	/lib/systemd/systemd
Arguments:	n/a
File size:	0 bytes
MD5 hash:	00000000000000000000000000000000

Analysis Process: iscsiadm PID: 4718 Parent PID: 1

General

Start time:	11:09:43
Start date:	22/07/2021
Path:	/sbin/iscsiadm
Arguments:	/sbin/iscsiadm -k 0 2
File size:	754952 bytes
MD5 hash:	b9363fe8099be776e324a481e209d7c4

Analysis Process: systemd PID: 4742 Parent PID: 1

General

Start time:	11:10:46
Start date:	22/07/2021
Path:	/lib/systemd/systemd
Arguments:	n/a
File size:	0 bytes
MD5 hash:	00000000000000000000000000000000

Analysis Process: sshd PID: 4742 Parent PID: 1

General

Start time:	11:10:46
Start date:	22/07/2021
Path:	/usr/sbin/sshd
Arguments:	/usr/sbin/sshd -D
File size:	791024 bytes
MD5 hash:	661b2a2da3b6c7d7ef41d0b9da1caa3b

Analysis Process: systemd PID: 4794 Parent PID: 1

General

Start time:	11:10:47
Start date:	22/07/2021
Path:	/lib/systemd/systemd
Arguments:	n/a
File size:	0 bytes
MD5 hash:	00000000000000000000000000000000

Analysis Process: systemd-hostnamed PID: 4794 Parent PID: 1

General

Start time:	11:10:47
Start date:	22/07/2021
Path:	/lib/systemd/systemd-hostnamed
Arguments:	/lib/systemd/systemd-hostnamed
File size:	339152 bytes
MD5 hash:	b05764f1a40963131ea2e1cd585f4139

Analysis Process: systemd PID: 4816 Parent PID: 1

General

Start time:	11:10:48
Start date:	22/07/2021
Path:	/lib/systemd/systemd
Arguments:	n/a
File size:	0 bytes
MD5 hash:	00000000000000000000000000000000

Analysis Process: snapd PID: 4816 Parent PID: 1

General

Start time:	11:10:48
Start date:	22/07/2021
Path:	/usr/lib/snapd/snapd
Arguments:	/usr/lib/snapd/snapd
File size:	21178072 bytes
MD5 hash:	416402f94a949af355c09e8bccfa0eb0

Analysis Process: systemd PID: 4837 Parent PID: 1

General

Start time:	11:10:50
Start date:	22/07/2021
Path:	/lib/systemd/systemd
Arguments:	n/a
File size:	0 bytes
MD5 hash:	00000000000000000000000000000000

Analysis Process: sshd PID: 4837 Parent PID: 1

General

Start time:	11:10:50
Start date:	22/07/2021
Path:	/usr/sbin/sshd
Arguments:	/usr/sbin/sshd -D
File size:	791024 bytes
MD5 hash:	661b2a2da3b6c7d7ef41d0b9da1caa3b

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use device sensors to collect information about nearby networks, such as Wi-Fi and Bluetooth.
Tactics:	Collection
Data Sources:
Platforms:	Android
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Linux Analysis Report s54l0GKMh9

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Process Tree

Yara Overview

PCAP (Network Traffic)

Jbx Signature Overview

AV Detection:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Runtime Messages

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: s54l0GKMh9 PID: 4589 Parent PID: 4518

General

Analysis Process: s54l0GKMh9 PID: 4606 Parent PID: 4589

General

Analysis Process: s54l0GKMh9 PID: 4607 Parent PID: 4589

General

Analysis Process: s54l0GKMh9 PID: 4608 Parent PID: 4589

General

Analysis Process: s54l0GKMh9 PID: 4611 Parent PID: 4608

General

Analysis Process: s54l0GKMh9 PID: 4613 Parent PID: 4608

General

Analysis Process: s54l0GKMh9 PID: 4614 Parent PID: 4608

General

Analysis Process: systemd PID: 4619 Parent PID: 1

General

Analysis Process: sshd PID: 4619 Parent PID: 1

General

Analysis Process: systemd PID: 4634 Parent PID: 1

General

Analysis Process: NetworkManager PID: 4634 Parent PID: 1

General

Analysis Process: systemd PID: 4648 Parent PID: 1

General