Loading ...

Play interactive tourEdit tour

Linux Analysis Report s54l0GKMh9

Overview

General Information

Sample Name:s54l0GKMh9
Analysis ID:452440
MD5:1a11fb2e59573ff9c8461a5998496ec4
SHA1:0ac1b218948da361997a3dbf43859cedf732bc88
SHA256:874f3a399fb4a6a3c99f86f6417c388b254e206f5bef96fb3b33bc38cac020dd
Tags:32elfmipsmirai
Infos:

Detection

Mirai
Score:80
Range:0 - 100
Whitelisted:false

Signatures

Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Mirai
Opens /sys/class/net/* files useful for querying network interface information
Sample is packed with UPX
Sample tries to kill many processes (SIGKILL)
Uses known network protocols on non-standard ports
Creates hidden files and/or directories
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Reads system information from the proc file system
Sample contains only a LOAD segment without any section mappings
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine
Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures

General Information

Joe Sandbox Version:33.0.0 White Diamond
Analysis ID:452440
Start date:22.07.2021
Start time:11:08:27
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 40s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:s54l0GKMh9
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Analysis Mode:default
Detection:MAL
Classification:mal80.spre.troj.spyw.evad.lin@0/8@0/0
Warnings:
Show All
  • Excluded IPs from analysis (whitelisted): 91.189.92.19, 91.189.92.39, 91.189.92.41, 91.189.92.38, 91.189.92.40, 91.189.92.20
  • TCP Packets have been reduced to 100
  • Excluded domains from analysis (whitelisted): api.snapcraft.io
  • Report size exceeded maximum capacity and may have missing network information.

Process Tree

  • system is lnxubuntu1
  • s54l0GKMh9 (PID: 4589, Parent: 4518, MD5: 1a11fb2e59573ff9c8461a5998496ec4) Arguments: /usr/bin/qemu-mipsel /tmp/s54l0GKMh9
  • systemd New Fork (PID: 4619, Parent: 1)
  • sshd (PID: 4619, Parent: 1, MD5: 661b2a2da3b6c7d7ef41d0b9da1caa3b) Arguments: /usr/sbin/sshd -D
  • systemd New Fork (PID: 4634, Parent: 1)
  • NetworkManager (PID: 4634, Parent: 1, MD5: 43dcb4efce9c2c522442ae62538bf659) Arguments: /usr/sbin/NetworkManager --no-daemon
  • systemd New Fork (PID: 4648, Parent: 1)
  • nm-online (PID: 4648, Parent: 1, MD5: ac72f7c256e548d273a5133a245a1638) Arguments: /usr/bin/nm-online -s -q --timeout=30
  • systemd New Fork (PID: 4661, Parent: 1)
  • nm-dispatcher (PID: 4661, Parent: 1, MD5: 7d4ef829ade49b564256f3f295f9c826) Arguments: /usr/lib/NetworkManager/nm-dispatcher
    • 01ifupdown (PID: 4678, Parent: 4661, MD5: 299819a8e64f00a1edbdfc99d05a8594) Arguments: /bin/sh -e /etc/NetworkManager/dispatcher.d/01ifupdown none hostname
  • systemd New Fork (PID: 4674, Parent: 1)
  • systemd-hostnamed (PID: 4674, Parent: 1, MD5: b05764f1a40963131ea2e1cd585f4139) Arguments: /lib/systemd/systemd-hostnamed
  • systemd New Fork (PID: 4699, Parent: 1)
  • snapd (PID: 4699, Parent: 1, MD5: 416402f94a949af355c09e8bccfa0eb0) Arguments: /usr/lib/snapd/snapd
  • systemd New Fork (PID: 4718, Parent: 1)
  • iscsiadm (PID: 4718, Parent: 1, MD5: b9363fe8099be776e324a481e209d7c4) Arguments: /sbin/iscsiadm -k 0 2
  • systemd New Fork (PID: 4742, Parent: 1)
  • sshd (PID: 4742, Parent: 1, MD5: 661b2a2da3b6c7d7ef41d0b9da1caa3b) Arguments: /usr/sbin/sshd -D
  • systemd New Fork (PID: 4794, Parent: 1)
  • systemd-hostnamed (PID: 4794, Parent: 1, MD5: b05764f1a40963131ea2e1cd585f4139) Arguments: /lib/systemd/systemd-hostnamed
  • systemd New Fork (PID: 4816, Parent: 1)
  • snapd (PID: 4816, Parent: 1, MD5: 416402f94a949af355c09e8bccfa0eb0) Arguments: /usr/lib/snapd/snapd
  • systemd New Fork (PID: 4837, Parent: 1)
  • sshd (PID: 4837, Parent: 1, MD5: 661b2a2da3b6c7d7ef41d0b9da1caa3b) Arguments: /usr/sbin/sshd -D
  • cleanup

Yara Overview

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Mirai_12Yara detected MiraiJoe Security

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: s54l0GKMh9Virustotal: Detection: 34%Perma Link
    Source: s54l0GKMh9ReversingLabs: Detection: 39%

    Networking:

    barindex
    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.97.173.69: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 109.239.134.147: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.117.198.127: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 78.94.73.210: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 96.87.80.167: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 109.193.54.146: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.57.194.76: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.175.40.225: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.65.146.78: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.128.125.240: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.7.72.164: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.77.64.1: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.0.88.236: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 50.220.200.185: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 196.203.188.37:23 -> 192.168.2.20:56342
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.100.1.71: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 151.81.134.100: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.126.109: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 196.203.188.37:23 -> 192.168.2.20:56352
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 68.187.254.176: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 196.203.188.37:23 -> 192.168.2.20:56364
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.252.195.84: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.139.128.1: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 156.226.116.47: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 193.83.36.251: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.203.64.67: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 46.93.108.4: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.245.230.11: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 46.223.136.125: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.160.159.108: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 78.42.90.43: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 210.131.34.15: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 112.120.244.105: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 80.118.92.214: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.54.124.128: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 62.94.223.244: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 83.68.20.128: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.228.136.2: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.192.74.112: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 178.159.243.115: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.211.32.232: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.6.100.149: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 185.251.46.189: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 153.153.224.90: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.110.92.134: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 37.209.118.120: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 95.90.167.134: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 133.242.50.126: -> 192.168.2.20:
    Source: TrafficSnort IDS: 404 ICMP Destination Unreachable Protocol Unreachable 81.191.234.151: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 168.206.86.57: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 203.66.251.1: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.161.101: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 83.209.73.145: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.201.149.82: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.35.117.39: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 146.212.169.207: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.64.108.192: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 164.68.232.22: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.193.0.80: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 108.167.73.59: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 218.60.102.156: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 185.54.120.139: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.198.147.179: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.72.75.59: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 2.202.116.68: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.168.204.122: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56104
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.94.5.25: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 4.59.184.10: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.234.184.23: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.56.30.148: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 59.125.52.126:23 -> 192.168.2.20:38326
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 59.125.52.126:23 -> 192.168.2.20:38326
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 115.255.239.37: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 81.221.214.38: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 80.157.128.213: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56114
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 37.201.220.22: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.159.227.35: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 45.201.245.80: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 210.211.102.99: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 83.163.43.140: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 82.58.53.174: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 85.199.98.128: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.2.108.14: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 2.47.208.246:23 -> 192.168.2.20:36318
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 2.47.208.246:23 -> 192.168.2.20:36318
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.229.187.147: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.96.180.205: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 160.20.156.111: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56144
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 175.29.130.127: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 72.48.120.12: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 12.37.173.49:23 -> 192.168.2.20:51128
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.73.24.156: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.66.124.168: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 98.220.208.122: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 156.236.13.23: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 166.63.204.162: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.239.13.208: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 59.125.52.126:23 -> 192.168.2.20:38346
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 59.125.52.126:23 -> 192.168.2.20:38346
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 47.94.171.178: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 114.32.242.146:23 -> 192.168.2.20:39884
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 114.32.242.146:23 -> 192.168.2.20:39884
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.82.47.8: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 80.245.118.35: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 218.92.148.101: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.199.215.140: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56220
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 83.162.167.222: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 62.156.58.101: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 89.0.242.195: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.210.199.196: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.247.152.253: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.56.77.9: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.68.172.73: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 166.88.56.157: -> 192.168.2.20:
    Source: TrafficSnort IDS: 2023439 ET TROJAN Possible Linux.Mirai Login Attempt (hi3518) 192.168.2.20:54014 -> 14.162.147.40:23
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.193.93.128: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 195.46.172.182: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 172.87.22.139: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56242
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.76.111.164: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 59.125.52.126:23 -> 192.168.2.20:38456
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 59.125.52.126:23 -> 192.168.2.20:38456
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 172.17.174.166: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.11.158.141: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 95.112.255.135: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 80.134.37.225: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.76.62.143: -> 192.168.2.20:
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 123.175.97.232:23 -> 192.168.2.20:41234
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.215.61.94: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 185.246.38.135: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 104.252.55.124: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.212.34.113: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 114.32.242.146:23 -> 192.168.2.20:39990
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 114.32.242.146:23 -> 192.168.2.20:39990
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 103.192.163.206: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 2.202.78.253: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.78.200.215: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 116.50.33.33: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.0.229.180: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 185.182.10.224: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56260
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 210.59.11.34: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.227.246.220: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 71.15.46.22: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 220.227.241.118:23 -> 192.168.2.20:40212
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.248.88.123: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.96.212.231: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 133.242.233.145: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 59.125.52.126:23 -> 192.168.2.20:38486
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 59.125.52.126:23 -> 192.168.2.20:38486
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.213.252.154: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.183.58.149: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.194.123.97: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.123.69.197: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 46.88.159.18: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 83.68.94.254: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 150.95.105.189: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56288
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 213.133.70.4: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.77.210.222: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.96.81.255: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 172.89.46.66: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 70.95.189.49: -> 192.168.2.20:
    Source: TrafficSnort IDS: 2023433 ET TROJAN Possible Linux.Mirai Login Attempt (7ujMko0admin) 192.168.2.20:54082 -> 14.162.147.40:23
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 45.94.164.101: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 2.47.208.246:23 -> 192.168.2.20:36512
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 2.47.208.246:23 -> 192.168.2.20:36512
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.74.179.121: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.65.159.173: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.203.129.146: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.8.26.243: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.251.129.177: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 114.32.242.146:23 -> 192.168.2.20:40042
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 114.32.242.146:23 -> 192.168.2.20:40042
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.97.114.74: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.102.144.196: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56334
    Source: TrafficSnort IDS: 716 INFO TELNET access 12.37.173.49:23 -> 192.168.2.20:51294
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.232.126.54: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.251.58.2: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.21.139.109: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.81.101.114: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.96.169.25: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 109.250.31.165: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 24.238.21.5: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 172.90.235.202: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 59.125.52.126:23 -> 192.168.2.20:38570
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 59.125.52.126:23 -> 192.168.2.20:38570
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 78.35.212.27: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.153.79.173: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52746
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 109.193.11.172: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 14.141.145.134: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 193.227.121.117: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56410
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.162.95.10: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 81.10.145.228: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52762
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.65.29.201: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.78.103.91: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 83.14.129.151: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 154.208.31.167: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.170.213: -> 192.168.2.20:
    Source: TrafficSnort IDS: 2023434 ET TROJAN Possible Linux.Mirai Login Attempt (7ujMko0vizxv) 192.168.2.20:54202 -> 14.162.147.40:23
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.225.213.94: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.17.32.41: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 162.0.220.98: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52776
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.239.216.227: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 80.110.146.25: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.181.68.181: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 109.106.12.235: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 64.255.137.222: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 216.155.16.187: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 114.32.242.146:23 -> 192.168.2.20:40166
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 114.32.242.146:23 -> 192.168.2.20:40166
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.210.200.189: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52800
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.5.250.108: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 196.202.145.94: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 112.27.222.62:23 -> 192.168.2.20:56462
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.242.139.198: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 59.125.52.126:23 -> 192.168.2.20:38660
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 59.125.52.126:23 -> 192.168.2.20:38660
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.108.245: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52824
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 77.159.171.165: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.49.58.212: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.212.27.88: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 194.116.33.34: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 205.174.22.7: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 4.14.14.222: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 5.100.20.96: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.236.34.108: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.151.155.125: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.227.183.200: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52882
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 182.248.109.222: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 156.226.75.198: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52896
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.44.116.205: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.196.50.200: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 155.4.209.217:23 -> 192.168.2.20:36442
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.5.108.144: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.174.17.65: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.6.231.170: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52908
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.41.125.188: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.225.55.191: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 74.75.84.129: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52918
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 59.128.115.201: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 59.125.52.126:23 -> 192.168.2.20:38782
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 59.125.52.126:23 -> 192.168.2.20:38782
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 85.212.55.180: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.214.131.170: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.228.46.62: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 24.115.187.248: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 114.32.242.146:23 -> 192.168.2.20:40300
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 114.32.242.146:23 -> 192.168.2.20:40300
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.134.16.23: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 178.206.194.132:23 -> 192.168.2.20:52934
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 154.93.50.80: -> 192.168.2.20:
    Opens /sys/class/net/* files useful for querying network interface informationShow sources
    Source: /usr/sbin/NetworkManager (PID: 4634)Opens: /sys/class/net/ens160/uevent
    Source: /usr/sbin/NetworkManager (PID: 4634)Opens: /sys/class/net/
    Source: /usr/sbin/NetworkManager (PID: 4634)Opens: /sys/class/net/
    Source: /usr/sbin/NetworkManager (PID: 4634)Opens: /sys/class/net/ens160/phys_port_id
    Source: /usr/sbin/NetworkManager (PID: 4634)Opens: /sys/class/net/ens160/dev_id
    Source: /usr/sbin/NetworkManager (PID: 4634)Opens: /sys/class/net/lo/phys_port_id
    Source: /usr/sbin/NetworkManager (PID: 4634)Opens: /sys/class/net/lo/dev_id
    Uses known network protocols on non-standard portsShow sources
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44096
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44100
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44102
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44106
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44116
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44122
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44128
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44140
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44156
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44158
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41462
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41466
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41470
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41482
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41486
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41492
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41506
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41520
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41534
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41560
    Source: global trafficTCP traffic: 192.168.2.20:35686 -> 37.230.137.227:1312
    Source: /tmp/s54l0GKMh9 (PID: 4606)Socket: 0.0.0.0::0
    Source: /tmp/s54l0GKMh9 (PID: 4606)Socket: 0.0.0.0::23
    Source: /tmp/s54l0GKMh9 (PID: 4606)Socket: 0.0.0.0::53413
    Source: /tmp/s54l0GKMh9 (PID: 4606)Socket: 0.0.0.0::80
    Source: /tmp/s54l0GKMh9 (PID: 4606)Socket: 0.0.0.0::52869
    Source: /tmp/s54l0GKMh9 (PID: 4606)Socket: 0.0.0.0::37215
    Source: /tmp/s54l0GKMh9 (PID: 4611)Socket: 0.0.0.0::0
    Source: /tmp/s54l0GKMh9 (PID: 4611)Socket: 0.0.0.0::23
    Source: /tmp/s54l0GKMh9 (PID: 4611)Socket: 0.0.0.0::53413
    Source: /tmp/s54l0GKMh9 (PID: 4611)Socket: 0.0.0.0::80
    Source: /tmp/s54l0GKMh9 (PID: 4611)Socket: 0.0.0.0::52869
    Source: /tmp/s54l0GKMh9 (PID: 4611)Socket: 0.0.0.0::37215
    Source: /usr/sbin/sshd (PID: 4619)Socket: 0.0.0.0::22
    Source: /usr/sbin/sshd (PID: 4619)Socket: [::]::22
    Source: /usr/sbin/sshd (PID: 4742)Socket: 0.0.0.0::22
    Source: /usr/sbin/sshd (PID: 4742)Socket: [::]::22
    Source: /usr/sbin/sshd (PID: 4837)Socket: 0.0.0.0::22
    Source: /usr/sbin/sshd (PID: 4837)Socket: [::]::22
    Source: unknownTCP traffic detected without corresponding DNS query: 37.230.137.227
    Source: unknownTCP traffic detected without corresponding DNS query: 94.11.183.235
    Source: unknownTCP traffic detected without corresponding DNS query: 43.228.186.183
    Source: unknownTCP traffic detected without corresponding DNS query: 101.245.81.171
    Source: unknownTCP traffic detected without corresponding DNS query: 192.100.29.235
    Source: unknownTCP traffic detected without corresponding DNS query: 35.81.236.243
    Source: unknownTCP traffic detected without corresponding DNS query: 95.31.193.172
    Source: unknownTCP traffic detected without corresponding DNS query: 31.161.65.250
    Source: unknownTCP traffic detected without corresponding DNS query: 2.188.133.72
    Source: unknownTCP traffic detected without corresponding DNS query: 42.215.143.223
    Source: unknownTCP traffic detected without corresponding DNS query: 81.104.99.249
    Source: unknownTCP traffic detected without corresponding DNS query: 47.254.224.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.112.29.45
    Source: unknownTCP traffic detected without corresponding DNS query: 141.134.239.140
    Source: unknownTCP traffic detected without corresponding DNS query: 118.134.211.41
    Source: unknownTCP traffic detected without corresponding DNS query: 164.172.172.193
    Source: unknownTCP traffic detected without corresponding DNS query: 161.170.8.82
    Source: unknownTCP traffic detected without corresponding DNS query: 142.107.119.49
    Source: unknownTCP traffic detected without corresponding DNS query: 19.44.138.129
    Source: unknownTCP traffic detected without corresponding DNS query: 151.57.1.66
    Source: unknownTCP traffic detected without corresponding DNS query: 74.24.122.189
    Source: unknownTCP traffic detected without corresponding DNS query: 221.0.37.191
    Source: unknownTCP traffic detected without corresponding DNS query: 193.145.245.157
    Source: unknownTCP traffic detected without corresponding DNS query: 159.216.86.202
    Source: unknownTCP traffic detected without corresponding DNS query: 169.95.182.113
    Source: unknownTCP traffic detected without corresponding DNS query: 98.168.21.251
    Source: unknownTCP traffic detected without corresponding DNS query: 203.103.124.207
    Source: unknownTCP traffic detected without corresponding DNS query: 178.18.221.8
    Source: unknownTCP traffic detected without corresponding DNS query: 126.252.109.132
    Source: unknownTCP traffic detected without corresponding DNS query: 1.84.180.138
    Source: unknownTCP traffic detected without corresponding DNS query: 91.232.79.124
    Source: unknownTCP traffic detected without corresponding DNS query: 178.118.235.5
    Source: unknownTCP traffic detected without corresponding DNS query: 203.159.124.52
    Source: unknownTCP traffic detected without corresponding DNS query: 179.254.87.123
    Source: unknownTCP traffic detected without corresponding DNS query: 106.154.192.213
    Source: unknownTCP traffic detected without corresponding DNS query: 45.183.83.195
    Source: unknownTCP traffic detected without corresponding DNS query: 98.97.137.140
    Source: unknownTCP traffic detected without corresponding DNS query: 252.19.172.233
    Source: unknownTCP traffic detected without corresponding DNS query: 203.188.181.148
    Source: unknownTCP traffic detected without corresponding DNS query: 13.211.246.7
    Source: unknownTCP traffic detected without corresponding DNS query: 162.140.123.190
    Source: unknownTCP traffic detected without corresponding DNS query: 16.60.67.57
    Source: unknownTCP traffic detected without corresponding DNS query: 240.157.238.207
    Source: unknownTCP traffic detected without corresponding DNS query: 166.188.169.2
    Source: unknownTCP traffic detected without corresponding DNS query: 182.18.85.29
    Source: unknownTCP traffic detected without corresponding DNS query: 114.34.19.155
    Source: unknownTCP traffic detected without corresponding DNS query: 246.180.130.239
    Source: unknownTCP traffic detected without corresponding DNS query: 217.53.192.25
    Source: unknownTCP traffic detected without corresponding DNS query: 252.224.142.166
    Source: unknownTCP traffic detected without corresponding DNS query: 38.159.94.88
    Source: s54l0GKMh9String found in binary or memory: http://upx.sf.net

    System Summary:

    barindex
    Sample tries to kill many processes (SIGKILL)Show sources
    Source: /tmp/s54l0GKMh9 (PID: 4606)SIGKILL sent: pid: 1339, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 4606, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 1059, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 1065, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 1091, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 1362, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 1363, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3289, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3308, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3484, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3491, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3496, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3501, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3596, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3601, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3606, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3611, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3616, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3790, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3791, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 4614, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 4619, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 4634, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 4699, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 4742, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 4611, result: successful
    Source: LOAD without section mappingsProgram segment: 0x100000
    Source: /tmp/s54l0GKMh9 (PID: 4606)SIGKILL sent: pid: 1339, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 4606, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 1059, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 1065, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 1091, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 1362, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 1363, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3289, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3308, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3484, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3491, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3496, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3501, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3596, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3601, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3606, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3611, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3616, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3790, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 3791, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 4614, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 4619, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 4634, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 4699, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 4742, result: successful
    Source: /tmp/s54l0GKMh9 (PID: 4611)SIGKILL sent: pid: 4611, result: successful
    Source: classification engineClassification label: mal80.spre.troj.spyw.evad.lin@0/8@0/0

    Data Obfuscation:

    barindex
    Sample is packed with UPXShow sources
    Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
    Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
    Source: initial sampleString containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
    Source: /usr/sbin/NetworkManager (PID: 4634)Directory: /root/.cacheJump to behavior
    Source: /tmp/s54l0GKMh9 (PID: 4606)File opened: /proc/1091/fd
    Source: /tmp/s54l0GKMh9 (PID: 4606)File opened: /proc/1065/fd
    Source: /tmp/s54l0GKMh9 (PID: 4606)File opened: /proc/1062/fd
    Source: /tmp/s54l0GKMh9 (PID: 4606)File opened: /proc/1084/fd
    Source: /tmp/s54l0GKMh9 (PID: 4606)File opened: /proc/1095/fd
    Source: /tmp/s54l0GKMh9 (PID: 4606)File opened: /proc/1072/fd
    Source: /tmp/s54l0GKMh9 (PID: 4606)File opened: /proc/1060/fd
    Source: /tmp/s54l0GKMh9 (PID: 4606)File opened: /proc/550/fd
    Source: /tmp/s54l0GKMh9 (PID: 4606)File opened: /proc/1/fd
    Source: /tmp/s54l0GKMh9 (PID: 4606)File opened: /proc/496/fd
    Source: /tmp/s54l0GKMh9 (PID: 4606)File opened: /proc/1017/fd
    Source: /tmp/s54l0GKMh9 (PID: 4606)File opened: /proc/1059/fd
    Source: /tmp/s54l0GKMh9 (PID: 4606)File opened: /proc/1024/fd
    Source: /tmp/s54l0GKMh9 (PID: 4606)File opened: /proc/1145/fd
    Source: /tmp/s54l0GKMh9 (PID: 4606)File opened: /proc/535/fd
    Source: /tmp/s54l0GKMh9 (PID: 4606)File opened: /proc/1078/fd
    Source: /tmp/s54l0GKMh9 (PID: 4606)File opened: /proc/1155/fd
    Source: /tmp/s54l0GKMh9 (PID: 4606)File opened: /proc/1119/fd
    Source: /tmp/s54l0GKMh9 (PID: 4606)File opened: /proc/1339/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1065/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1065/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1065/exe
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3485/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3485/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3485/exe
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3485/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3485/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3484/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3484/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3484/exe
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1062/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1062/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1062/exe
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1062/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1062/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3482/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3482/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3482/exe
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3482/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3482/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3481/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3481/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3481/exe
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3481/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3481/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1060/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1060/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1060/exe
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1060/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1060/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/4606/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/4606/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/4608/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/4608/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/4608/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1059/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1059/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1059/exe
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3479/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3479/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3479/exe
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3479/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3479/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3512/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3512/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3512/exe
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3512/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3512/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3477/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3477/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3477/exe
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3477/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3477/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1452/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1452/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1452/exe
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1452/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1452/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/514/exe
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3632/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3632/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3632/exe
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3632/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3632/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/519/exe
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3518/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3518/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3518/exe
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3518/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3518/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3497/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3497/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3497/exe
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3497/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3497/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3133/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3133/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3133/exe
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3133/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3133/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3496/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3496/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/3496/exe
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1072/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1072/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1072/exe
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1072/fd
    Source: /tmp/s54l0GKMh9 (PID: 4611)File opened: /proc/1072/fd
    Source: /usr/lib/snapd/snapd (PID: 4699)Reads from proc file: /proc/sys/net/core/somaxconnJump to behavior
    Source: /usr/lib/snapd/snapd (PID: 4699)Reads from proc file: /proc/sys/kernel/hostnameJump to behavior
    Source: /usr/lib/snapd/snapd (PID: 4816)Reads from proc file: /proc/sys/net/core/somaxconnJump to behavior
    Source: /usr/lib/snapd/snapd (PID: 4816)Reads from proc file: /proc/sys/kernel/hostnameJump to behavior

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Uses known network protocols on non-standard portsShow sources
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44096
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44100
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44102
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44106
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44116
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44122
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44128
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44140
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44156
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 44158
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41462
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41466
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41470
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41482
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41486
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41492
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41506
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41520
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41534
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41560
    Source: /tmp/s54l0GKMh9 (PID: 4589)Queries kernel information via 'uname':
    Source: /usr/sbin/NetworkManager (PID: 4634)Queries kernel information via 'uname':
    Source: /lib/systemd/systemd-hostnamed (PID: 4674)Queries kernel information via 'uname':
    Source: /usr/lib/snapd/snapd (PID: 4699)Queries kernel information via 'uname':
    Source: /lib/systemd/systemd-hostnamed (PID: 4794)Queries kernel information via 'uname':
    Source: /usr/lib/snapd/snapd (PID: 4816)Queries kernel information via 'uname':

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionHidden Files and Directories1OS Credential Dumping1Security Software Discovery1Remote ServicesNetwork Information Discovery1Exfiltration Over Other Network MediumNon-Standard Port11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsObfuscated Files or Information1LSASS MemorySystem Information Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

    Malware Configuration

    No configs have been found

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Number of created Files
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 452440 Sample: s54l0GKMh9 Startdate: 22/07/2021 Architecture: LINUX Score: 80 33 114.69.243.154, 23 WORLDPHONE-INASNumberforInterdomainRoutingIN India 2->33 35 195.15.200.99 VTX-NETWORKCH Switzerland 2->35 37 98 other IPs or domains 2->37 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Yara detected Mirai 2->43 45 2 other signatures 2->45 8 s54l0GKMh9 2->8         started        10 systemd NetworkManager 2->10         started        13 systemd nm-dispatcher 2->13         started        15 9 other processes 2->15 signatures3 process4 signatures5 17 s54l0GKMh9 8->17         started        19 s54l0GKMh9 8->19         started        22 s54l0GKMh9 8->22         started        49 Opens /sys/class/net/* files useful for querying network interface information 10->49 24 nm-dispatcher 01ifupdown 13->24         started        process6 signatures7 26 s54l0GKMh9 17->26         started        29 s54l0GKMh9 17->29         started        31 s54l0GKMh9 17->31         started        47 Sample tries to kill many processes (SIGKILL) 19->47 process8 signatures9 51 Sample tries to kill many processes (SIGKILL) 26->51

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    s54l0GKMh934%VirustotalBrowse
    s54l0GKMh939%ReversingLabsLinux.Trojan.Mirai

    Dropped Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://upx.sf.nets54l0GKMh9false
      high

      Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public

      IPDomainCountryFlagASNASN NameMalicious
      106.114.147.23
      unknownChina
      4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
      96.203.126.160
      unknownUnited States
      7922COMCAST-7922USfalse
      203.210.130.208
      unknownViet Nam
      45899VNPT-AS-VNVNPTCorpVNfalse
      242.51.200.14
      unknownReserved
      unknownunknownfalse
      69.79.2.213
      unknownUnited States
      23520COLUMBUS-NETWORKSUSfalse
      89.133.164.83
      unknownHungary
      6830LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHoldingfalse
      47.38.71.139
      unknownUnited States
      20115CHARTER-20115USfalse
      218.39.74.160
      unknownKorea Republic of
      9318SKB-ASSKBroadbandCoLtdKRfalse
      223.37.188.117
      unknownKorea Republic of
      9644SKTELECOM-NET-ASSKTelecomKRfalse
      195.15.200.99
      unknownSwitzerland
      12350VTX-NETWORKCHfalse
      59.89.254.145
      unknownIndia
      9829BSNL-NIBNationalInternetBackboneINfalse
      44.43.86.40
      unknownUnited States
      7377UCSDUSfalse
      94.20.234.131
      unknownAzerbaijan
      199731NAKHINTERNET-ISPAZfalse
      160.79.21.199
      unknownUnited States
      24867ADAPT-ASGBfalse
      99.250.223.76
      unknownCanada
      812ROGERS-COMMUNICATIONSCAfalse
      109.124.248.94
      unknownRussian Federation
      35032TAHIONISP-ASRUfalse
      139.240.73.123
      unknownUnited States
      37963CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdfalse
      90.54.152.98
      unknownFrance
      3215FranceTelecom-OrangeFRfalse
      252.134.181.234
      unknownReserved
      unknownunknownfalse
      203.66.61.49
      unknownTaiwan; Republic of China (ROC)
      3462HINETDataCommunicationBusinessGroupTWfalse
      168.236.44.110
      unknownUnited States
      3136STATE-OF-WISCONSIN-AS1USfalse
      200.209.218.229
      unknownBrazil
      4230CLAROSABRfalse
      151.50.163.103
      unknownItaly
      1267ASN-WINDTREIUNETEUfalse
      42.50.47.134
      unknownChina
      4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNfalse
      252.47.186.21
      unknownReserved
      unknownunknownfalse
      102.200.137.34
      unknownunknown
      36926CKL1-ASNKEfalse
      216.116.80.116
      unknownUnited States
      14010JACKHENRYUSfalse
      189.215.130.159
      unknownMexico
      28538CablemasTelecomunicacionesSAdeCVMXfalse
      152.136.225.31
      unknownChina
      45090CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompafalse
      198.209.55.33
      unknownUnited States
      26934UNIVERSITY-OF-MISSOURI---COLUMBIAUSfalse
      60.237.160.8
      unknownJapan2518BIGLOBEBIGLOBEIncJPfalse
      193.169.96.22
      unknownRussian Federation
      49510TCV-ASCZfalse
      24.131.135.95
      unknownUnited States
      7922COMCAST-7922USfalse
      153.144.115.36
      unknownJapan4713OCNNTTCommunicationsCorporationJPfalse
      23.190.64.85
      unknownUnited States
      394256CLOUDSINGULARITYCAfalse
      167.4.234.142
      unknownUnited States
      51964ORANGE-BUSINESS-SERVICES-IPSN-ASNFRfalse
      103.120.250.186
      unknownIndia
      17665IN2CABLE-APASNumberofIndusindMediaandcommunicationLtfalse
      160.248.62.37
      unknownJapan2514INFOSPHERENTTPCCommunicationsIncJPfalse
      5.51.2.160
      unknownFrance
      5410BOUYGTEL-ISPFRfalse
      125.160.53.234
      unknownIndonesia
      7713TELKOMNET-AS-APPTTelekomunikasiIndonesiaIDfalse
      142.247.130.1
      unknownSaudi Arabia
      25019SAUDINETSTC-ASSAfalse
      109.248.108.198
      unknownRussian Federation
      28917FIORD-ASIP-transitoperatorinRussiaUkraineandBalticsfalse
      250.106.144.35
      unknownReserved
      unknownunknownfalse
      114.69.243.154
      unknownIndia
      18002WORLDPHONE-INASNumberforInterdomainRoutingINfalse
      163.189.225.254
      unknownAustralia
      55542RMSNET-AS-APRoadsandMaritimeServicesAUfalse
      196.215.73.129
      unknownSouth Africa
      3741ISZAfalse
      98.101.210.191
      unknownUnited States
      11426TWC-11426-CAROLINASUSfalse
      66.66.21.33
      unknownUnited States
      11351TWC-11351-NORTHEASTUSfalse
      250.76.10.0
      unknownReserved
      unknownunknownfalse
      147.116.206.235
      unknownUnited States
      766REDIRISRedIRISAutonomousSystemESfalse
      188.83.167.211
      unknownPortugal
      3243MEO-RESIDENCIALPTfalse
      107.248.194.130
      unknownUnited States
      7018ATT-INTERNET4USfalse
      35.23.30.138
      unknownUnited States
      36375UMICH-AS-5USfalse
      97.146.192.157
      unknownUnited States
      6167CELLCO-PARTUSfalse
      155.41.128.74
      unknownUnited States
      111BOSTONU-ASUSfalse
      32.192.89.13
      unknownUnited States
      2686ATGS-MMD-ASUSfalse
      17.41.75.245
      unknownUnited States
      714APPLE-ENGINEERINGUSfalse
      185.205.152.125
      unknownPoland
      205706LEGMANPLfalse
      157.37.76.71
      unknownIndia
      55836RELIANCEJIO-INRelianceJioInfocommLimitedINfalse
      197.100.167.157
      unknownSouth Africa
      3741ISZAfalse
      160.232.244.58
      unknownUnited States
      11259ANGOLATELECOMAOfalse
      152.150.46.109
      unknownUnited Kingdom
      10455LUCENT-CIOUSfalse
      188.211.223.60
      unknownIran (ISLAMIC Republic Of)
      58224TCIIRfalse
      195.97.85.116
      unknownGreece
      3329HOL-GRAthensGreeceGRfalse
      200.130.28.164
      unknownBrazil
      1916AssociacaoRedeNacionaldeEnsinoePesquisaBRfalse
      115.76.248.177
      unknownViet Nam
      7552VIETEL-AS-APViettelGroupVNfalse
      217.215.135.185
      unknownSweden
      3301TELIANET-SWEDENTeliaCompanySEfalse
      161.25.164.196
      unknownChile
      1916AssociacaoRedeNacionaldeEnsinoePesquisaBRfalse
      223.28.184.116
      unknownKorea Republic of
      17597SAEROMNET-AS-KRTBROADSaeromNamdongSeohaebroadcastingKRfalse
      12.243.182.108
      unknownUnited States
      7018ATT-INTERNET4USfalse
      175.114.50.218
      unknownKorea Republic of
      9318SKB-ASSKBroadbandCoLtdKRfalse
      38.95.43.246
      unknownUnited States
      174COGENT-174USfalse
      121.165.152.132
      unknownKorea Republic of
      4766KIXS-AS-KRKoreaTelecomKRfalse
      180.244.198.4
      unknownIndonesia
      7713TELKOMNET-AS-APPTTelekomunikasiIndonesiaIDfalse
      176.104.41.175
      unknownUkraine
      41435UNDERNET-AS1UAfalse
      101.184.26.83
      unknownAustralia
      1221ASN-TELSTRATelstraCorporationLtdAUfalse
      211.40.186.144
      unknownKorea Republic of
      3786LGDACOMLGDACOMCorporationKRfalse
      16.108.127.103
      unknownUnited States
      unknownunknownfalse
      32.35.17.51
      unknownUnited States
      2686ATGS-MMD-ASUSfalse
      121.33.183.226
      unknownChina
      4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
      183.105.180.39
      unknownKorea Republic of
      4766KIXS-AS-KRKoreaTelecomKRfalse
      95.240.28.160
      unknownItaly
      3269ASN-IBSNAZITfalse
      249.108.201.111
      unknownReserved
      unknownunknownfalse
      37.35.120.99
      unknownSwitzerland
      15600FINECOMQuicklineAGCHfalse
      16.111.181.7
      unknownUnited States
      unknownunknownfalse
      106.199.18.119
      unknownIndia
      45609BHARTI-MOBILITY-AS-APBhartiAirtelLtdASforGPRSServicefalse
      245.129.132.24
      unknownReserved
      unknownunknownfalse
      126.208.173.196
      unknownJapan17676GIGAINFRASoftbankBBCorpJPfalse
      85.164.4.5
      unknownNorway
      2119TELENOR-NEXTELTelenorNorgeASNOfalse
      62.122.50.178
      unknownRussian Federation
      47530NVTC-ASRUfalse
      196.253.231.70
      unknownSouth Africa
      8094PUKNETZAfalse
      92.242.80.177
      unknownRussian Federation
      8371VIMPELCOM-NNVimpelcomNizhniyNovgorodbranchfixednetwofalse
      211.118.236.136
      unknownKorea Republic of
      3786LGDACOMLGDACOMCorporationKRfalse
      1.58.95.38
      unknownChina
      4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNfalse
      124.13.77.47
      unknownMalaysia
      4788TMNET-AS-APTMNetInternetServiceProviderMYfalse
      218.223.148.221
      unknownJapan17676GIGAINFRASoftbankBBCorpJPfalse
      211.188.255.117
      unknownKorea Republic of
      9644SKTELECOM-NET-ASSKTelecomKRfalse
      89.252.43.211
      unknownUkraine
      31148FREENET_LLCUAfalse
      102.154.176.208
      unknownTunisia
      5438ATI-TNfalse
      147.215.163.231
      unknownFrance
      2439FR-REMUSMANofthePolytechnicumEUfalse


      Runtime Messages

      Command:/tmp/s54l0GKMh9
      Exit Code:0
      Exit Code Info:
      Killed:False
      Standard Output:
      Connected To CNC
      Standard Error:

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASN

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      VNPT-AS-VNVNPTCorpVNA7X93JRxhpGet hashmaliciousBrowse
      • 113.166.97.119
      XuQRPW44hiGet hashmaliciousBrowse
      • 123.18.19.86
      CefN2XNyFiGet hashmaliciousBrowse
      • 14.170.32.127
      1dqNLZONFYGet hashmaliciousBrowse
      • 113.173.201.220
      7OAzOUL9cdGet hashmaliciousBrowse
      • 123.29.161.171
      iUmNR6tkEdGet hashmaliciousBrowse
      • 14.234.227.130
      SvmxfeZM5ZGet hashmaliciousBrowse
      • 14.165.136.70
      ehn0f1d63MGet hashmaliciousBrowse
      • 14.227.0.49
      qgQgEjI283Get hashmaliciousBrowse
      • 14.163.209.143
      pV4uIDCdSNGet hashmaliciousBrowse
      • 123.30.106.181
      zhPAQB7FPVGet hashmaliciousBrowse
      • 14.167.4.190
      SQCRu7FwjkGet hashmaliciousBrowse
      • 14.178.200.75
      Dvf7OP92yJGet hashmaliciousBrowse
      • 14.188.254.245
      Ebl8uJRI5tGet hashmaliciousBrowse
      • 14.253.31.190
      XBu8Vn3bIMGet hashmaliciousBrowse
      • 113.175.131.153
      Md3k7pepaqGet hashmaliciousBrowse
      • 14.250.168.229
      a1sMR3Vj8oGet hashmaliciousBrowse
      • 14.172.186.10
      8wzyljMmmnGet hashmaliciousBrowse
      • 14.179.21.192
      lq2609LxT8Get hashmaliciousBrowse
      • 113.166.84.52
      Rl9KiguX35Get hashmaliciousBrowse
      • 113.175.218.219
      CHINANET-BACKBONENo31Jin-rongStreetCNz0FwvGSnDFGet hashmaliciousBrowse
      • 218.3.209.122
      D1dU3jQ1IIGet hashmaliciousBrowse
      • 124.175.64.107
      sDwNKSpuhBGet hashmaliciousBrowse
      • 222.214.85.14
      A7X93JRxhpGet hashmaliciousBrowse
      • 14.121.14.117
      8ZJ0cPowTyGet hashmaliciousBrowse
      • 117.67.60.6
      92CRMNlBq8Get hashmaliciousBrowse
      • 113.122.55.88
      XuQRPW44hiGet hashmaliciousBrowse
      • 120.41.157.122
      Taf5zLti30Get hashmaliciousBrowse
      • 14.113.198.126
      5qpsqg7U0GGet hashmaliciousBrowse
      • 106.236.30.71
      LyxN1ckWTWGet hashmaliciousBrowse
      • 182.137.82.39
      U1R7Ed7940Get hashmaliciousBrowse
      • 122.7.204.153
      GEso3CniSkGet hashmaliciousBrowse
      • 121.238.137.180
      BTNNG17tlhGet hashmaliciousBrowse
      • 222.177.200.161
      VGi1EK6T17Get hashmaliciousBrowse
      • 27.25.204.97
      apep.mipsGet hashmaliciousBrowse
      • 222.80.71.247
      U4r9W64doyGet hashmaliciousBrowse
      • 183.20.87.42
      C4PozjQdGEGet hashmaliciousBrowse
      • 117.44.124.210
      kb5IbEJU8cGet hashmaliciousBrowse
      • 222.87.131.215
      CefN2XNyFiGet hashmaliciousBrowse
      • 116.54.173.39
      1dqNLZONFYGet hashmaliciousBrowse
      • 180.140.66.174
      COMCAST-7922USD1dU3jQ1IIGet hashmaliciousBrowse
      • 73.221.68.185
      sDwNKSpuhBGet hashmaliciousBrowse
      • 66.31.123.8
      A7X93JRxhpGet hashmaliciousBrowse
      • 174.160.234.12
      92CRMNlBq8Get hashmaliciousBrowse
      • 96.129.115.21
      XuQRPW44hiGet hashmaliciousBrowse
      • 96.75.11.28
      Taf5zLti30Get hashmaliciousBrowse
      • 73.105.22.60
      5qpsqg7U0GGet hashmaliciousBrowse
      • 50.150.213.54
      LyxN1ckWTWGet hashmaliciousBrowse
      • 73.76.173.103
      VGi1EK6T17Get hashmaliciousBrowse
      • 96.193.32.170
      U4r9W64doyGet hashmaliciousBrowse
      • 76.142.58.170
      C4PozjQdGEGet hashmaliciousBrowse
      • 74.30.218.252
      CefN2XNyFiGet hashmaliciousBrowse
      • 96.191.119.186
      7OAzOUL9cdGet hashmaliciousBrowse
      • 67.184.88.190
      MD5OxTSc6iGet hashmaliciousBrowse
      • 24.128.44.113
      Qka3fi8NpLGet hashmaliciousBrowse
      • 74.156.139.185
      Xr3hmBQcmwGet hashmaliciousBrowse
      • 96.80.132.77
      xjYvqOne1tGet hashmaliciousBrowse
      • 73.136.89.242
      SUpODCSauSGet hashmaliciousBrowse
      • 71.197.70.248
      sora.arm7Get hashmaliciousBrowse
      • 98.245.173.86
      iUmNR6tkEdGet hashmaliciousBrowse
      • 174.50.238.120

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      /proc/4619/oom_score_adj
      Process:/usr/sbin/sshd
      File Type:ASCII text
      Category:dropped
      Size (bytes):6
      Entropy (8bit):1.7924812503605778
      Encrypted:false
      SSDEEP:3:ptn:Dn
      MD5:CBF282CC55ED0792C33D10003D1F760A
      SHA1:007DD8BD75468E6B7ABA4285E9B267202C7EAEED
      SHA-256:FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
      SHA-512:4643A8675D213C7DA35CC0C2BFB3B6F20324F9C48AEA7BA79F470615698C9A0CEFDA45CAA1957FC29110EE746BC8458AB8AB1E43EB513912A5E1E8858812CC00
      Malicious:false
      Reputation:moderate, very likely benign file
      Preview: -1000.
      /proc/4742/oom_score_adj
      Process:/usr/sbin/sshd
      File Type:ASCII text
      Category:dropped
      Size (bytes):6
      Entropy (8bit):1.7924812503605778
      Encrypted:false
      SSDEEP:3:ptn:Dn
      MD5:CBF282CC55ED0792C33D10003D1F760A
      SHA1:007DD8BD75468E6B7ABA4285E9B267202C7EAEED
      SHA-256:FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
      SHA-512:4643A8675D213C7DA35CC0C2BFB3B6F20324F9C48AEA7BA79F470615698C9A0CEFDA45CAA1957FC29110EE746BC8458AB8AB1E43EB513912A5E1E8858812CC00
      Malicious:false
      Reputation:moderate, very likely benign file
      Preview: -1000.
      /proc/4837/oom_score_adj
      Process:/usr/sbin/sshd
      File Type:ASCII text
      Category:dropped
      Size (bytes):6
      Entropy (8bit):1.7924812503605778
      Encrypted:false
      SSDEEP:3:ptn:Dn
      MD5:CBF282CC55ED0792C33D10003D1F760A
      SHA1:007DD8BD75468E6B7ABA4285E9B267202C7EAEED
      SHA-256:FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
      SHA-512:4643A8675D213C7DA35CC0C2BFB3B6F20324F9C48AEA7BA79F470615698C9A0CEFDA45CAA1957FC29110EE746BC8458AB8AB1E43EB513912A5E1E8858812CC00
      Malicious:false
      Reputation:moderate, very likely benign file
      Preview: -1000.
      /run/sshd.pid
      Process:/usr/sbin/sshd
      File Type:ASCII text
      Category:dropped
      Size (bytes):5
      Entropy (8bit):2.321928094887362
      Encrypted:false
      SSDEEP:3:hvn:5n
      MD5:5C68D6A05A8B8B31C96516DE3C3717C5
      SHA1:C9649ED14F0E4B92708AA8B5C5A38C74AABF41F5
      SHA-256:0BD44605189C73432176FE2D51B8262ECBB15FAA13E0F83EA7637DF1C08C9808
      SHA-512:A9A023FA861A16F66ED5835AB937A3EE4FAE88C5D557579F98BE46C555D3D3D216E25E5DBD3C0FE3FB44D8F4B9BB7C49E2B69729275C22E93E376AF343CF30E0
      Malicious:false
      Reputation:low
      Preview: 4837.
      /var/cache/snapd/sections.VkT7rk09P4mD
      Process:/usr/lib/snapd/snapd
      File Type:ASCII text
      Category:dropped
      Size (bytes):257
      Entropy (8bit):4.149772078213831
      Encrypted:false
      SSDEEP:6:+JwAuG+uP2J5I9W6IzvS5/GAEwKnK/JBMlvuNjpeWPnXMISz:J02Jt6W8ce+Oj8WX6
      MD5:966FD91045792732666DBA4D113B0D48
      SHA1:9DCADCCCE036C48AEADCA9632A6E8EBADC69EE18
      SHA-256:244EB764054FECCD5D77FAD9273ECC7C1B427551FA153876C889C59D1959630D
      SHA-512:DEB94A2508E4B8A26073FC1F71E71EB19D877C890BFB93FBE4E700643FA82FF78135A146AB47EC702D6FB6D4A2FDDF5257BBF5B5E6992CAB81A15CA9B43D36BA
      Malicious:false
      Reputation:moderate, very likely benign file
      Preview: art-and-design.books-and-reference.development.devices-and-iot.education.entertainment.featured.finance.games.health-and-fitness.music-and-audio.news-and-weather.personalisation.photo-and-video.productivity.science.security.server-and-cloud.social.utilities
      /var/cache/snapd/sections.g6T4kvDRndCj
      Process:/usr/lib/snapd/snapd
      File Type:ASCII text
      Category:dropped
      Size (bytes):257
      Entropy (8bit):4.149772078213831
      Encrypted:false
      SSDEEP:6:+JwAuG+uP2J5I9W6IzvS5/GAEwKnK/JBMlvuNjpeWPnXMISz:J02Jt6W8ce+Oj8WX6
      MD5:966FD91045792732666DBA4D113B0D48
      SHA1:9DCADCCCE036C48AEADCA9632A6E8EBADC69EE18
      SHA-256:244EB764054FECCD5D77FAD9273ECC7C1B427551FA153876C889C59D1959630D
      SHA-512:DEB94A2508E4B8A26073FC1F71E71EB19D877C890BFB93FBE4E700643FA82FF78135A146AB47EC702D6FB6D4A2FDDF5257BBF5B5E6992CAB81A15CA9B43D36BA
      Malicious:false
      Reputation:moderate, very likely benign file
      Preview: art-and-design.books-and-reference.development.devices-and-iot.education.entertainment.featured.finance.games.health-and-fitness.music-and-audio.news-and-weather.personalisation.photo-and-video.productivity.science.security.server-and-cloud.social.utilities

      Static File Info

      General

      File type:ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
      Entropy (8bit):7.879503677327423
      TrID:
      • ELF Executable and Linkable format (generic) (4004/1) 100.00%
      File name:s54l0GKMh9
      File size:27236
      MD5:1a11fb2e59573ff9c8461a5998496ec4
      SHA1:0ac1b218948da361997a3dbf43859cedf732bc88
      SHA256:874f3a399fb4a6a3c99f86f6417c388b254e206f5bef96fb3b33bc38cac020dd
      SHA512:5d1f6f9c677f0d8c0602cf77d250eef6b2bcaf5b4e0ca02626adb0f0a4fad051c3ebbb101113d88e5d0cdbf6a3d807cbab17706beec43147c472c9c64095d2a9
      SSDEEP:768:w9CUFskb2JgIs/E2+OocrfJiHNjfmQ2q7IoqdB7fPWc:GCrJgHiOJrfwmQrctt
      File Content Preview:.ELF.....................V..4...........4. ...(.....................=i..=i....................E...E....................tUPX!`.......T...T.......T..........?.E.h;....#......b.L#4E..,,....M..D{c....j;.D .A....~.....hE.:.O........L..N.7g..\....R.............

      Static ELF Info

      ELF header

      Class:ELF32
      Data:2's complement, little endian
      Version:1 (current)
      Machine:MIPS R3000
      Version Number:0x1
      Type:EXEC (Executable file)
      OS/ABI:UNIX - System V
      ABI Version:0
      Entry Point Address:0x105600
      Flags:0x1007
      ELF Header Size:52
      Program Header Offset:52
      Program Header Size:32
      Number of Program Headers:2
      Section Header Offset:0
      Section Header Size:40
      Number of Section Headers:0
      Header String Table Index:0

      Program Segments

      TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
      LOAD0x00x1000000x1000000x693d0x693d4.20190x5R E0x10000
      LOAD0x18c00x4518c00x4518c00x00x00.00000x6RW 0x10000

      Network Behavior

      Network Port Distribution

      TCP Packets

      TimestampSource PortDest PortSource IPDest IP
      Jul 22, 2021 11:09:00.197495937 CEST356861312192.168.2.2037.230.137.227
      Jul 22, 2021 11:09:00.199661970 CEST5030223192.168.2.2094.11.183.235
      Jul 22, 2021 11:09:00.199754000 CEST5030223192.168.2.2043.228.186.183
      Jul 22, 2021 11:09:00.199779034 CEST5030223192.168.2.20101.245.81.171
      Jul 22, 2021 11:09:00.199805021 CEST5030223192.168.2.20192.100.29.235
      Jul 22, 2021 11:09:00.199810028 CEST5030223192.168.2.2035.81.236.243
      Jul 22, 2021 11:09:00.199820995 CEST5030223192.168.2.2095.31.193.172
      Jul 22, 2021 11:09:00.199830055 CEST5030223192.168.2.2031.161.65.250
      Jul 22, 2021 11:09:00.199850082 CEST5030223192.168.2.202.188.133.72
      Jul 22, 2021 11:09:00.199853897 CEST5030223192.168.2.2042.215.143.223
      Jul 22, 2021 11:09:00.199857950 CEST5030223192.168.2.2081.104.99.249
      Jul 22, 2021 11:09:00.199862957 CEST5030223192.168.2.2047.254.224.25
      Jul 22, 2021 11:09:00.199867964 CEST5030223192.168.2.20212.112.29.45
      Jul 22, 2021 11:09:00.199877977 CEST5030223192.168.2.20141.134.239.140
      Jul 22, 2021 11:09:00.199884892 CEST5030223192.168.2.20118.134.211.41
      Jul 22, 2021 11:09:00.199891090 CEST5030223192.168.2.20164.172.172.193
      Jul 22, 2021 11:09:00.199892044 CEST5030223192.168.2.20161.170.8.82
      Jul 22, 2021 11:09:00.199894905 CEST5030223192.168.2.20142.107.119.49
      Jul 22, 2021 11:09:00.199908018 CEST5030223192.168.2.2019.44.138.129
      Jul 22, 2021 11:09:00.199918032 CEST5030223192.168.2.20151.57.1.66
      Jul 22, 2021 11:09:00.199920893 CEST5030223192.168.2.2074.24.122.189
      Jul 22, 2021 11:09:00.199928045 CEST5030223192.168.2.20221.0.37.191
      Jul 22, 2021 11:09:00.199925900 CEST5030223192.168.2.20193.145.245.157
      Jul 22, 2021 11:09:00.199953079 CEST5030223192.168.2.20159.216.86.202
      Jul 22, 2021 11:09:00.199956894 CEST5030223192.168.2.20169.95.182.113
      Jul 22, 2021 11:09:00.199964046 CEST5030223192.168.2.2098.168.21.251
      Jul 22, 2021 11:09:00.199975967 CEST5030223192.168.2.20203.103.124.207
      Jul 22, 2021 11:09:00.199979067 CEST5030223192.168.2.20178.18.221.8
      Jul 22, 2021 11:09:00.199981928 CEST5030223192.168.2.20126.252.109.132
      Jul 22, 2021 11:09:00.199981928 CEST5030223192.168.2.201.84.180.138
      Jul 22, 2021 11:09:00.199991941 CEST5030223192.168.2.2091.232.79.124
      Jul 22, 2021 11:09:00.200005054 CEST5030223192.168.2.20178.118.235.5
      Jul 22, 2021 11:09:00.200014114 CEST5030223192.168.2.20203.159.124.52
      Jul 22, 2021 11:09:00.200017929 CEST5030223192.168.2.20179.254.87.123
      Jul 22, 2021 11:09:00.200021982 CEST5030223192.168.2.20210.32.218.187
      Jul 22, 2021 11:09:00.200026035 CEST5030223192.168.2.20106.154.192.213
      Jul 22, 2021 11:09:00.200046062 CEST5030223192.168.2.2045.183.83.195
      Jul 22, 2021 11:09:00.200054884 CEST5030223192.168.2.2098.97.137.140
      Jul 22, 2021 11:09:00.200067043 CEST5030223192.168.2.20121.88.10.206
      Jul 22, 2021 11:09:00.200073004 CEST5030223192.168.2.20252.19.172.233
      Jul 22, 2021 11:09:00.200073957 CEST5030223192.168.2.20203.188.181.148
      Jul 22, 2021 11:09:00.200079918 CEST5030223192.168.2.2013.211.246.7
      Jul 22, 2021 11:09:00.200093031 CEST5030223192.168.2.20162.140.123.190
      Jul 22, 2021 11:09:00.200095892 CEST5030223192.168.2.2016.60.67.57
      Jul 22, 2021 11:09:00.200105906 CEST5030223192.168.2.20240.157.238.207
      Jul 22, 2021 11:09:00.200109959 CEST5030223192.168.2.20166.188.169.2
      Jul 22, 2021 11:09:00.200113058 CEST5030223192.168.2.20182.18.85.29
      Jul 22, 2021 11:09:00.200114012 CEST5030223192.168.2.20114.34.19.155
      Jul 22, 2021 11:09:00.200114012 CEST5030223192.168.2.20246.180.130.239
      Jul 22, 2021 11:09:00.200119972 CEST5030223192.168.2.20217.53.192.25
      Jul 22, 2021 11:09:00.200124025 CEST5030223192.168.2.20252.224.142.166
      Jul 22, 2021 11:09:00.200129986 CEST5030223192.168.2.2038.159.94.88
      Jul 22, 2021 11:09:00.200130939 CEST5030223192.168.2.20180.81.128.91
      Jul 22, 2021 11:09:00.200134039 CEST5030223192.168.2.20167.83.125.247
      Jul 22, 2021 11:09:00.200139046 CEST5030223192.168.2.20186.171.214.77
      Jul 22, 2021 11:09:00.200148106 CEST5030223192.168.2.2034.5.193.188
      Jul 22, 2021 11:09:00.200153112 CEST5030223192.168.2.2014.225.127.241
      Jul 22, 2021 11:09:00.200186968 CEST5030223192.168.2.20100.241.157.66
      Jul 22, 2021 11:09:00.200191021 CEST5030223192.168.2.20202.203.96.201
      Jul 22, 2021 11:09:00.200192928 CEST5030223192.168.2.2096.44.54.182
      Jul 22, 2021 11:09:00.200195074 CEST5030223192.168.2.20126.235.6.189
      Jul 22, 2021 11:09:00.200196981 CEST5030223192.168.2.20209.36.120.114
      Jul 22, 2021 11:09:00.200222969 CEST5030223192.168.2.20169.125.30.209
      Jul 22, 2021 11:09:00.200239897 CEST5030223192.168.2.20192.48.133.21
      Jul 22, 2021 11:09:00.200244904 CEST5030223192.168.2.20210.42.33.105
      Jul 22, 2021 11:09:00.200246096 CEST5030223192.168.2.20161.171.195.158
      Jul 22, 2021 11:09:00.200248003 CEST5030223192.168.2.20123.0.2.213
      Jul 22, 2021 11:09:00.200249910 CEST5030223192.168.2.20115.123.173.79
      Jul 22, 2021 11:09:00.200256109 CEST5030223192.168.2.20104.237.250.130
      Jul 22, 2021 11:09:00.200262070 CEST5030223192.168.2.2090.234.167.154
      Jul 22, 2021 11:09:00.200262070 CEST5030223192.168.2.20247.239.171.138
      Jul 22, 2021 11:09:00.200267076 CEST5030223192.168.2.20211.121.250.101
      Jul 22, 2021 11:09:00.200272083 CEST5030223192.168.2.2018.132.197.157
      Jul 22, 2021 11:09:00.200272083 CEST5030223192.168.2.20118.127.26.9
      Jul 22, 2021 11:09:00.200278044 CEST5030223192.168.2.20160.208.227.166
      Jul 22, 2021 11:09:00.200279951 CEST5030223192.168.2.2072.223.170.78
      Jul 22, 2021 11:09:00.200283051 CEST5030223192.168.2.2066.65.198.45
      Jul 22, 2021 11:09:00.200288057 CEST5030223192.168.2.20181.244.11.211
      Jul 22, 2021 11:09:00.200290918 CEST5030223192.168.2.2019.157.22.0
      Jul 22, 2021 11:09:00.200292110 CEST5030223192.168.2.2043.36.248.68
      Jul 22, 2021 11:09:00.200295925 CEST5030223192.168.2.2042.102.1.52
      Jul 22, 2021 11:09:00.200299978 CEST5030223192.168.2.20170.211.59.131
      Jul 22, 2021 11:09:00.200308084 CEST5030223192.168.2.20186.121.85.12
      Jul 22, 2021 11:09:00.200314045 CEST5030223192.168.2.20113.238.58.16
      Jul 22, 2021 11:09:00.200316906 CEST5030223192.168.2.20240.97.56.209
      Jul 22, 2021 11:09:00.200321913 CEST5030223192.168.2.20151.252.171.84
      Jul 22, 2021 11:09:00.200333118 CEST5030223192.168.2.20102.80.41.177
      Jul 22, 2021 11:09:00.200336933 CEST5030223192.168.2.2023.253.186.143
      Jul 22, 2021 11:09:00.200339079 CEST5030223192.168.2.2098.49.81.48
      Jul 22, 2021 11:09:00.200340033 CEST5030223192.168.2.2018.218.183.79
      Jul 22, 2021 11:09:00.200346947 CEST5030223192.168.2.2095.218.114.115
      Jul 22, 2021 11:09:00.200351000 CEST5030223192.168.2.20186.141.149.230
      Jul 22, 2021 11:09:00.200354099 CEST5030223192.168.2.20174.183.89.112
      Jul 22, 2021 11:09:00.200360060 CEST5030223192.168.2.20188.97.173.69
      Jul 22, 2021 11:09:00.200361013 CEST5030223192.168.2.20255.102.137.22
      Jul 22, 2021 11:09:00.200367928 CEST5030223192.168.2.20162.221.115.241
      Jul 22, 2021 11:09:00.200372934 CEST5030223192.168.2.20184.1.231.52
      Jul 22, 2021 11:09:00.200397968 CEST5030223192.168.2.20107.93.181.201
      Jul 22, 2021 11:09:00.200408936 CEST5030223192.168.2.2041.196.63.175
      Jul 22, 2021 11:09:00.200413942 CEST5030223192.168.2.2014.33.16.235

      System Behavior