Loading ...

Play interactive tourEdit tour

Linux Analysis Report ovLjmo5UoE

Overview

General Information

Sample Name:ovLjmo5UoE
Analysis ID:452448
MD5:96468aa8293a504d9431860381691baf
SHA1:a2e7baff712d4a1a41b2b83f60e0afcbaa774190
SHA256:6596ffeba4d8ea7bc59db3f41d511c1241263f9dd3c01a5657c89279bc8c4fd5
Tags:32elfmipsmirai
Infos:

Detection

Mirai
Score:76
Range:0 - 100
Whitelisted:false

Signatures

Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Mirai
Opens /sys/class/net/* files useful for querying network interface information
Sample is packed with UPX
Sample tries to kill many processes (SIGKILL)
Creates hidden files and/or directories
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Reads system information from the proc file system
Sample contains only a LOAD segment without any section mappings
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine
Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures

General Information

Joe Sandbox Version:33.0.0 White Diamond
Analysis ID:452448
Start date:22.07.2021
Start time:11:25:16
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 44s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:ovLjmo5UoE
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Analysis Mode:default
Detection:MAL
Classification:mal76.spre.troj.spyw.evad.lin@0/8@0/0
Warnings:
Show All
  • Excluded IPs from analysis (whitelisted): 91.189.92.39, 91.189.92.19, 91.189.92.40, 91.189.92.38, 91.189.92.20, 91.189.92.41
  • Excluded domains from analysis (whitelisted): api.snapcraft.io
  • Report size exceeded maximum capacity and may have missing network information.

Process Tree

  • system is lnxubuntu1
  • ovLjmo5UoE (PID: 4571, Parent: 4498, MD5: 96468aa8293a504d9431860381691baf) Arguments: /usr/bin/qemu-mips /tmp/ovLjmo5UoE
  • systemd New Fork (PID: 4602, Parent: 1)
  • sshd (PID: 4602, Parent: 1, MD5: 661b2a2da3b6c7d7ef41d0b9da1caa3b) Arguments: /usr/sbin/sshd -D
  • systemd New Fork (PID: 4614, Parent: 1)
  • NetworkManager (PID: 4614, Parent: 1, MD5: 43dcb4efce9c2c522442ae62538bf659) Arguments: /usr/sbin/NetworkManager --no-daemon
  • systemd New Fork (PID: 4628, Parent: 1)
  • nm-online (PID: 4628, Parent: 1, MD5: ac72f7c256e548d273a5133a245a1638) Arguments: /usr/bin/nm-online -s -q --timeout=30
  • systemd New Fork (PID: 4641, Parent: 1)
  • nm-dispatcher (PID: 4641, Parent: 1, MD5: 7d4ef829ade49b564256f3f295f9c826) Arguments: /usr/lib/NetworkManager/nm-dispatcher
    • 01ifupdown (PID: 4665, Parent: 4641, MD5: 299819a8e64f00a1edbdfc99d05a8594) Arguments: /bin/sh -e /etc/NetworkManager/dispatcher.d/01ifupdown none hostname
  • systemd New Fork (PID: 4654, Parent: 1)
  • systemd-hostnamed (PID: 4654, Parent: 1, MD5: b05764f1a40963131ea2e1cd585f4139) Arguments: /lib/systemd/systemd-hostnamed
  • systemd New Fork (PID: 4679, Parent: 1)
  • snapd (PID: 4679, Parent: 1, MD5: 416402f94a949af355c09e8bccfa0eb0) Arguments: /usr/lib/snapd/snapd
  • systemd New Fork (PID: 4698, Parent: 1)
  • iscsiadm (PID: 4698, Parent: 1, MD5: b9363fe8099be776e324a481e209d7c4) Arguments: /sbin/iscsiadm -k 0 2
  • systemd New Fork (PID: 4722, Parent: 1)
  • sshd (PID: 4722, Parent: 1, MD5: 661b2a2da3b6c7d7ef41d0b9da1caa3b) Arguments: /usr/sbin/sshd -D
  • systemd New Fork (PID: 4776, Parent: 1)
  • systemd-hostnamed (PID: 4776, Parent: 1, MD5: b05764f1a40963131ea2e1cd585f4139) Arguments: /lib/systemd/systemd-hostnamed
  • systemd New Fork (PID: 4799, Parent: 1)
  • snapd (PID: 4799, Parent: 1, MD5: 416402f94a949af355c09e8bccfa0eb0) Arguments: /usr/lib/snapd/snapd
  • systemd New Fork (PID: 4818, Parent: 1)
  • sshd (PID: 4818, Parent: 1, MD5: 661b2a2da3b6c7d7ef41d0b9da1caa3b) Arguments: /usr/sbin/sshd -D
  • cleanup

Yara Overview

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Mirai_12Yara detected MiraiJoe Security

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: ovLjmo5UoEVirustotal: Detection: 39%Perma Link
    Source: ovLjmo5UoEReversingLabs: Detection: 35%

    Networking:

    barindex
    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.206.52.202: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 216.46.140.130: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.141.18.252: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.158.189.216: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.14.137.207: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.187.182.10: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 185.53.43.149: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.76.107.76: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.39.133.145: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.210.184.202: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.105.217.37: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 38.145.126.167: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 212.38.200.14: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 150.140.128.36: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 164.82.21.30: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 83.252.195.75:23 -> 192.168.2.20:57730
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 83.252.195.75:23 -> 192.168.2.20:57730
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 118.89.161.22: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 94.221.176.245: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.1.101.23: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 157.131.120.253: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 117.79.147.220: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 109.3.180.221: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 94.222.50.234: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.202.93.158: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.104.94.160: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.133.14.18: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 76.182.2.23: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 38.77.33.105: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 50.242.148.249: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 104.164.211.67: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.220.238.22: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.3.103.127: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 31.16.228.55: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 71.71.149.239: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.236.99.217: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 165.156.24.254: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 123.28.129.115:23 -> 192.168.2.20:52144
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 123.28.129.115:23 -> 192.168.2.20:52144
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 83.252.195.75:23 -> 192.168.2.20:57756
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 83.252.195.75:23 -> 192.168.2.20:57756
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 59.115.194.8:23 -> 192.168.2.20:40118
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 59.115.194.8:23 -> 192.168.2.20:40118
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 109.91.209.23: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 213.162.131.61: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 41.182.170.84: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.3.9.19: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 62.15.101.176: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.78.164.87: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 112.161.50.31:23 -> 192.168.2.20:57270
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.189.50.150: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 95.249.251.103: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.68.16.151: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.226.132.37: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.151.208.202: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 46.244.183.161: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.80.223.124: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.238.179.2: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.204.86.30: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 178.250.156.79: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 50.220.200.185: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.216.34.60: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 112.161.50.31:23 -> 192.168.2.20:57270
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 112.161.50.31:23 -> 192.168.2.20:57270
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.136.107.165: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 80.138.182.105: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.212.95.148: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 83.252.195.75:23 -> 192.168.2.20:57784
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 83.252.195.75:23 -> 192.168.2.20:57784
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 81.187.31.248: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 59.115.194.8:23 -> 192.168.2.20:40152
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 59.115.194.8:23 -> 192.168.2.20:40152
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 185.210.144.142: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 156.225.40.8: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 46.86.223.11: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.58.81.50: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 66.235.40.90: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.46.32.7: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 94.223.78.97: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.62.111.39: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.185.200.139: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.181.61.244: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.67.205.104: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 37.138.6.248: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 211.0.203.166: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 42.146.38.252: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 83.171.165.105: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.79.228.83: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.38.92.86: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.104.29.28: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 112.161.50.31:23 -> 192.168.2.20:57308
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 46.93.104.118: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 45.11.167.168: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 24.102.240.129: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 83.252.195.75:23 -> 192.168.2.20:57816
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 83.252.195.75:23 -> 192.168.2.20:57816
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.207.34.90: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 2.205.109.8: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 195.123.196.60: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 59.115.194.8:23 -> 192.168.2.20:40184
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 59.115.194.8:23 -> 192.168.2.20:40184
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 112.161.50.31:23 -> 192.168.2.20:57308
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 112.161.50.31:23 -> 192.168.2.20:57308
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.59.157.50: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.96.225.243: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 31.16.49.61: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 24.137.116.218: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 24.10.109.92: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 80.145.21.207: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.237.204.118: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 14.205.250.146:23 -> 192.168.2.20:45122
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 95.112.224.39: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 146.113.182.29: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 104.149.41.166: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 37.19.192.13: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 104.165.165.188: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 187.63.81.2: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.6.113.226: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.171.215.10: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 107.149.132.212: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 14.205.250.146:23 -> 192.168.2.20:45122
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 14.205.250.146:23 -> 192.168.2.20:45122
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.136.46.130: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 73.17.215.33: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 104.246.110.169: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 38.145.68.165: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.166.253: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 83.252.195.75:23 -> 192.168.2.20:57852
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 83.252.195.75:23 -> 192.168.2.20:57852
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 47.224.244.56: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 112.161.50.31:23 -> 192.168.2.20:57366
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.100.61.125: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 83.160.80.8: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 59.115.194.8:23 -> 192.168.2.20:40226
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 59.115.194.8:23 -> 192.168.2.20:40226
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.157.94.131: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.14.173.31: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 61.148.75.14: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.167.57: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 112.161.50.31:23 -> 192.168.2.20:57366
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 112.161.50.31:23 -> 192.168.2.20:57366
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.51.143.97: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 46.93.25.85: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.102.145.203: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 81.173.229.53: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.10.241.39: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.58.29.45: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 14.205.250.146:23 -> 192.168.2.20:45200
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 123.28.129.115:23 -> 192.168.2.20:52292
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 123.28.129.115:23 -> 192.168.2.20:52292
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 80.136.42.131: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.142.28.175: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.245.68.10: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 58.229.25.130: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.213.239.9: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 66.216.100.81: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 83.252.195.75:23 -> 192.168.2.20:57928
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 83.252.195.75:23 -> 192.168.2.20:57928
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.73.183.10: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 78.54.50.116: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.189.53.52: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 14.205.250.146:23 -> 192.168.2.20:45200
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 14.205.250.146:23 -> 192.168.2.20:45200
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.236.103.122: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.245.37.209: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 142.11.200.85: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.132.71.234: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 139.162.188.160: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 59.115.194.8:23 -> 192.168.2.20:40300
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 59.115.194.8:23 -> 192.168.2.20:40300
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.213.231.118: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.165.189: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 112.161.50.31:23 -> 192.168.2.20:57434
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.228.249.207: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.96.189.198: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 168.138.51.252: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.227.139.98: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 81.197.74.218: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 172.22.1.1: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 112.161.50.31:23 -> 192.168.2.20:57434
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 112.161.50.31:23 -> 192.168.2.20:57434
    Source: TrafficSnort IDS: 716 INFO TELNET access 14.205.250.146:23 -> 192.168.2.20:45258
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 83.252.195.75:23 -> 192.168.2.20:57962
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 83.252.195.75:23 -> 192.168.2.20:57962
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.202.108.214: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.115.181: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.8.159.180: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.194.176.76: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.249.86.56: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.72.15.221: -> 192.168.2.20:
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 110.180.175.139:23 -> 192.168.2.20:42776
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.66.180.226: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.217.91.154: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 14.205.250.146:23 -> 192.168.2.20:45258
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 14.205.250.146:23 -> 192.168.2.20:45258
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 213.247.84.154: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 59.115.194.8:23 -> 192.168.2.20:40348
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 59.115.194.8:23 -> 192.168.2.20:40348
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.235.155.18: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.103.225.23: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.94.119.124: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.210.183.138: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 85.237.181.159: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 156.238.212.60: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.201.158.49: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.192.226.58: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 94.217.23.68: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.194.255.126: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 208.83.33.178: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 210.1.58.221: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 114.38.72.71: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.168.121: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 111.240.194.130: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 112.161.50.31:23 -> 192.168.2.20:57494
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 62.100.194.137: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.180.174.88: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 2.206.15.128: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 104.200.173.31: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 83.252.195.75:23 -> 192.168.2.20:58000
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 83.252.195.75:23 -> 192.168.2.20:58000
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 220.247.116.79: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 216.170.72.61: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.222.255.248: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.6.123.199: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 89.14.146.24: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 66.90.157.37: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 14.205.250.146:23 -> 192.168.2.20:45318
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.253.201.62: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 141.98.40.196: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 112.161.50.31:23 -> 192.168.2.20:57494
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 112.161.50.31:23 -> 192.168.2.20:57494
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.3.109.160: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 59.115.194.8:23 -> 192.168.2.20:40398
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 59.115.194.8:23 -> 192.168.2.20:40398
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.59.125.43: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 45.50.201.121: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 14.205.250.146:23 -> 192.168.2.20:45318
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 14.205.250.146:23 -> 192.168.2.20:45318
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 45.38.242.95: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.61.112.131: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.96.135.46: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.169.218.117: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 193.38.231.77: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 222.227.12.140: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.22.190.149: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.157.99.174: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 213.209.83.237: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 94.218.117.210: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 185.54.120.139: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 95.33.241.210: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.157.1.253: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 198.72.198.235: -> 192.168.2.20:
    Source: TrafficSnort IDS: 2023434 ET TROJAN Possible Linux.Mirai Login Attempt (7ujMko0vizxv) 192.168.2.20:52194 -> 91.84.219.112:23
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 83.252.195.75:23 -> 192.168.2.20:58076
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 83.252.195.75:23 -> 192.168.2.20:58076
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 80.136.120.190: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 186.236.190.82: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 222.124.62.149:23 -> 192.168.2.20:54750
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.85.172.143: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 83.215.42.54: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 174.104.201.70: -> 192.168.2.20:
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 139.162.85.233: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 2.243.43.164: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.229.179.132: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 68.53.85.3: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 177.8.221.169:23 -> 192.168.2.20:48746
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 85.190.179.205: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 123.28.129.115:23 -> 192.168.2.20:52476
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 123.28.129.115:23 -> 192.168.2.20:52476
    Source: TrafficSnort IDS: 716 INFO TELNET access 112.161.50.31:23 -> 192.168.2.20:57590
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 78.34.156.149: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.14.37.249: -> 192.168.2.20:
    Source: TrafficSnort IDS: 716 INFO TELNET access 14.205.250.146:23 -> 192.168.2.20:45386
    Source: TrafficSnort IDS: 2023449 ET TROJAN Possible Linux.Mirai Login Attempt (vizxv) 192.168.2.20:52222 -> 91.84.219.112:23
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 122.14.200.176: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 201.91.97.198: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 59.115.194.8:23 -> 192.168.2.20:40456
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 59.115.194.8:23 -> 192.168.2.20:40456
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 80.132.152.81: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.211.98.249: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.232.103.205: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.255.80.14: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.217.41.160: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.26.127.38: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 80.178.217.39:23 -> 192.168.2.20:50378
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 80.178.217.39:23 -> 192.168.2.20:50378
    Source: TrafficSnort IDS: 716 INFO TELNET access 177.8.221.169:23 -> 192.168.2.20:48780
    Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 103.242.0.226: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 168.95.22.153: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 14.205.250.146:23 -> 192.168.2.20:45386
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 14.205.250.146:23 -> 192.168.2.20:45386
    Source: TrafficSnort IDS: 2023433 ET TROJAN Possible Linux.Mirai Login Attempt (7ujMko0admin) 192.168.2.20:52252 -> 91.84.219.112:23
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 193.80.96.224: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 94.217.127.79: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 2.203.183.81: -> 192.168.2.20:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 83.252.195.75:23 -> 192.168.2.20:58118
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 83.252.195.75:23 -> 192.168.2.20:58118
    Source: TrafficSnort IDS: 716 INFO TELNET access 177.8.221.169:23 -> 192.168.2.20:48804
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.213.211.209: -> 192.168.2.20:
    Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 212.117.93.90: -> 192.168.2.20:
    Opens /sys/class/net/* files useful for querying network interface informationShow sources
    Source: /usr/sbin/NetworkManager (PID: 4614)Opens: /sys/class/net/ens160/ueventJump to behavior
    Source: /usr/sbin/NetworkManager (PID: 4614)Opens: /sys/class/net/Jump to behavior
    Source: /usr/sbin/NetworkManager (PID: 4614)Opens: /sys/class/net/ens160/phys_port_idJump to behavior
    Source: /usr/sbin/NetworkManager (PID: 4614)Opens: /sys/class/net/ens160/dev_idJump to behavior
    Source: /usr/sbin/NetworkManager (PID: 4614)Opens: /sys/class/net/lo/phys_port_idJump to behavior
    Source: /usr/sbin/NetworkManager (PID: 4614)Opens: /sys/class/net/lo/dev_idJump to behavior
    Source: global trafficTCP traffic: 192.168.2.20:35686 -> 37.230.137.227:1312
    Source: /tmp/ovLjmo5UoE (PID: 4586)Socket: 0.0.0.0::0Jump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4586)Socket: 0.0.0.0::23Jump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4586)Socket: 0.0.0.0::53413Jump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4586)Socket: 0.0.0.0::80Jump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4586)Socket: 0.0.0.0::52869Jump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4586)Socket: 0.0.0.0::37215Jump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)Socket: 0.0.0.0::0Jump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)Socket: 0.0.0.0::23Jump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)Socket: 0.0.0.0::53413Jump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)Socket: 0.0.0.0::80Jump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)Socket: 0.0.0.0::52869Jump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)Socket: 0.0.0.0::37215Jump to behavior
    Source: /usr/sbin/sshd (PID: 4602)Socket: 0.0.0.0::22Jump to behavior
    Source: /usr/sbin/sshd (PID: 4602)Socket: [::]::22Jump to behavior
    Source: /usr/sbin/sshd (PID: 4722)Socket: 0.0.0.0::22Jump to behavior
    Source: /usr/sbin/sshd (PID: 4722)Socket: [::]::22Jump to behavior
    Source: /usr/sbin/sshd (PID: 4818)Socket: 0.0.0.0::22Jump to behavior
    Source: /usr/sbin/sshd (PID: 4818)Socket: [::]::22Jump to behavior
    Source: unknownTCP traffic detected without corresponding DNS query: 76.213.67.173
    Source: unknownTCP traffic detected without corresponding DNS query: 179.205.5.65
    Source: unknownTCP traffic detected without corresponding DNS query: 61.153.233.170
    Source: unknownTCP traffic detected without corresponding DNS query: 207.227.209.173
    Source: unknownTCP traffic detected without corresponding DNS query: 171.78.44.24
    Source: unknownTCP traffic detected without corresponding DNS query: 106.127.255.204
    Source: unknownTCP traffic detected without corresponding DNS query: 58.226.155.34
    Source: unknownTCP traffic detected without corresponding DNS query: 246.232.49.78
    Source: unknownTCP traffic detected without corresponding DNS query: 191.41.100.141
    Source: unknownTCP traffic detected without corresponding DNS query: 2.185.178.168
    Source: unknownTCP traffic detected without corresponding DNS query: 84.123.113.61
    Source: unknownTCP traffic detected without corresponding DNS query: 44.158.120.198
    Source: unknownTCP traffic detected without corresponding DNS query: 142.213.109.21
    Source: unknownTCP traffic detected without corresponding DNS query: 93.53.253.241
    Source: unknownTCP traffic detected without corresponding DNS query: 108.134.218.175
    Source: unknownTCP traffic detected without corresponding DNS query: 146.224.14.156
    Source: unknownTCP traffic detected without corresponding DNS query: 61.108.93.79
    Source: unknownTCP traffic detected without corresponding DNS query: 180.78.14.186
    Source: unknownTCP traffic detected without corresponding DNS query: 201.244.205.166
    Source: unknownTCP traffic detected without corresponding DNS query: 98.36.135.212
    Source: unknownTCP traffic detected without corresponding DNS query: 168.174.231.242
    Source: unknownTCP traffic detected without corresponding DNS query: 123.232.167.199
    Source: unknownTCP traffic detected without corresponding DNS query: 9.195.127.44
    Source: unknownTCP traffic detected without corresponding DNS query: 179.156.207.215
    Source: unknownTCP traffic detected without corresponding DNS query: 116.218.236.8
    Source: unknownTCP traffic detected without corresponding DNS query: 169.217.183.31
    Source: unknownTCP traffic detected without corresponding DNS query: 106.32.83.100
    Source: unknownTCP traffic detected without corresponding DNS query: 247.61.232.15
    Source: unknownTCP traffic detected without corresponding DNS query: 195.56.215.241
    Source: unknownTCP traffic detected without corresponding DNS query: 57.192.68.113
    Source: unknownTCP traffic detected without corresponding DNS query: 149.42.143.229
    Source: unknownTCP traffic detected without corresponding DNS query: 172.233.225.100
    Source: unknownTCP traffic detected without corresponding DNS query: 183.204.18.102
    Source: unknownTCP traffic detected without corresponding DNS query: 2.162.159.163
    Source: unknownTCP traffic detected without corresponding DNS query: 59.115.76.5
    Source: unknownTCP traffic detected without corresponding DNS query: 13.205.47.249
    Source: unknownTCP traffic detected without corresponding DNS query: 47.80.23.223
    Source: unknownTCP traffic detected without corresponding DNS query: 244.162.61.181
    Source: unknownTCP traffic detected without corresponding DNS query: 80.181.253.238
    Source: unknownTCP traffic detected without corresponding DNS query: 120.0.37.110
    Source: unknownTCP traffic detected without corresponding DNS query: 17.113.161.8
    Source: unknownTCP traffic detected without corresponding DNS query: 174.139.81.39
    Source: unknownTCP traffic detected without corresponding DNS query: 243.213.237.102
    Source: unknownTCP traffic detected without corresponding DNS query: 207.118.80.185
    Source: unknownTCP traffic detected without corresponding DNS query: 183.175.49.51
    Source: unknownTCP traffic detected without corresponding DNS query: 159.136.86.95
    Source: unknownTCP traffic detected without corresponding DNS query: 69.194.204.4
    Source: unknownTCP traffic detected without corresponding DNS query: 82.5.236.115
    Source: unknownTCP traffic detected without corresponding DNS query: 37.230.137.227
    Source: unknownTCP traffic detected without corresponding DNS query: 76.181.217.1
    Source: ovLjmo5UoEString found in binary or memory: http://upx.sf.net

    System Summary:

    barindex
    Sample tries to kill many processes (SIGKILL)Show sources
    Source: /tmp/ovLjmo5UoE (PID: 4586)SIGKILL sent: pid: 1339, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 4586, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 1059, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 1065, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 1091, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 1362, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 1363, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 3289, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 3308, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 3484, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 3491, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 3496, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 3501, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 3596, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 3601, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 3606, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 3611, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 3616, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 3790, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 3791, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 4592, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 4602, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 4614, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 4679, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 4722, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 4590, result: successfulJump to behavior
    Source: LOAD without section mappingsProgram segment: 0x100000
    Source: /tmp/ovLjmo5UoE (PID: 4586)SIGKILL sent: pid: 1339, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 4586, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 1059, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 1065, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 1091, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 1362, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 1363, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 3289, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 3308, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 3484, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 3491, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 3496, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 3501, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 3596, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 3601, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 3606, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 3611, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 3616, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 3790, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 3791, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 4592, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 4602, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 4614, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 4679, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 4722, result: successfulJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)SIGKILL sent: pid: 4590, result: successfulJump to behavior
    Source: classification engineClassification label: mal76.spre.troj.spyw.evad.lin@0/8@0/0

    Data Obfuscation:

    barindex
    Sample is packed with UPXShow sources
    Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
    Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
    Source: initial sampleString containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
    Source: /usr/sbin/NetworkManager (PID: 4614)Directory: /root/.cacheJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/1065/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/1065/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/1065/exeJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3485/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3485/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3485/exeJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3485/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3485/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3484/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3484/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3484/exeJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/1062/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/1062/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/1062/exeJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/1062/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/1062/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3482/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3482/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3482/exeJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3482/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3482/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3481/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3481/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3481/exeJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3481/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3481/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/1060/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/1060/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/1060/exeJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/1060/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/1060/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/1059/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/1059/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/1059/exeJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3479/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3479/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3479/exeJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3479/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3479/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3512/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3512/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3512/exeJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3512/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3512/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3477/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3477/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3477/exeJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3477/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3477/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/1452/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/1452/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/1452/exeJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/1452/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/1452/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/514/exeJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3632/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3632/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3632/exeJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3632/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3632/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/4722/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/4602/exeJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/519/exeJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3518/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3518/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3518/exeJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3518/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3518/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/4586/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/4586/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3497/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3497/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3497/exeJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3497/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3497/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3133/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3133/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3133/exeJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3133/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3133/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3496/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3496/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3496/exeJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/1072/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/1072/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/1072/exeJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/1072/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/1072/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3491/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3491/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3491/exeJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/483/exeJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3527/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3527/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3527/exeJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3527/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3527/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/1/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/1/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/1/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/1/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3525/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3525/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3525/exeJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3525/fdJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4590)File opened: /proc/3525/fdJump to behavior
    Source: /usr/lib/snapd/snapd (PID: 4679)Reads from proc file: /proc/sys/net/core/somaxconnJump to behavior
    Source: /usr/lib/snapd/snapd (PID: 4679)Reads from proc file: /proc/sys/kernel/hostnameJump to behavior
    Source: /usr/lib/snapd/snapd (PID: 4799)Reads from proc file: /proc/sys/net/core/somaxconnJump to behavior
    Source: /usr/lib/snapd/snapd (PID: 4799)Reads from proc file: /proc/sys/kernel/hostnameJump to behavior
    Source: /tmp/ovLjmo5UoE (PID: 4571)Queries kernel information via 'uname': Jump to behavior
    Source: /usr/sbin/NetworkManager (PID: 4614)Queries kernel information via 'uname': Jump to behavior
    Source: /lib/systemd/systemd-hostnamed (PID: 4654)Queries kernel information via 'uname': Jump to behavior
    Source: /usr/lib/snapd/snapd (PID: 4679)Queries kernel information via 'uname': Jump to behavior
    Source: /lib/systemd/systemd-hostnamed (PID: 4776)Queries kernel information via 'uname': Jump to behavior
    Source: /usr/lib/snapd/snapd (PID: 4799)Queries kernel information via 'uname': Jump to behavior

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionHidden Files and Directories1OS Credential Dumping1Security Software Discovery1Remote ServicesNetwork Information Discovery1Exfiltration Over Other Network MediumNon-Standard Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsObfuscated Files or Information1LSASS MemorySystem Information Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

    Malware Configuration

    No configs have been found

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Number of created Files
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 452448 Sample: ovLjmo5UoE Startdate: 22/07/2021 Architecture: LINUX Score: 76 33 188.194.255.126 KABELDEUTSCHLAND-ASDE Germany 2->33 35 196.163.215.25 Vast-Networks-ASZA South Africa 2->35 37 98 other IPs or domains 2->37 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Yara detected Mirai 2->43 45 Sample is packed with UPX 2->45 8 ovLjmo5UoE 2->8         started        10 systemd NetworkManager 2->10         started        13 systemd nm-dispatcher 2->13         started        15 9 other processes 2->15 signatures3 process4 signatures5 17 ovLjmo5UoE 8->17         started        19 ovLjmo5UoE 8->19         started        22 ovLjmo5UoE 8->22         started        49 Opens /sys/class/net/* files useful for querying network interface information 10->49 24 nm-dispatcher 01ifupdown 13->24         started        process6 signatures7 26 ovLjmo5UoE 17->26         started        29 ovLjmo5UoE 17->29         started        31 ovLjmo5UoE 17->31         started        47 Sample tries to kill many processes (SIGKILL) 19->47 process8 signatures9 51 Sample tries to kill many processes (SIGKILL) 26->51

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    ovLjmo5UoE39%VirustotalBrowse
    ovLjmo5UoE36%ReversingLabsLinux.Trojan.Mirai

    Dropped Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://upx.sf.netovLjmo5UoEfalse
      high

      Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public

      IPDomainCountryFlagASNASN NameMalicious
      212.243.120.245
      unknownSwitzerland
      60190EASTMETALSAG-ASCHfalse
      107.80.78.92
      unknownUnited States
      20057ATT-MOBILITY-LLC-AS20057USfalse
      141.183.198.210
      unknownUnited States
      197921HBTFJOfalse
      223.183.33.196
      unknownIndia
      45609BHARTI-MOBILITY-AS-APBhartiAirtelLtdASforGPRSServicefalse
      62.202.137.250
      unknownSwitzerland
      3303SWISSCOMSwisscomSwitzerlandLtdCHfalse
      48.202.252.22
      unknownUnited States
      2686ATGS-MMD-ASUSfalse
      57.75.159.0
      unknownBelgium
      51964ORANGE-BUSINESS-SERVICES-IPSN-ASNFRfalse
      87.12.93.142
      unknownItaly
      3269ASN-IBSNAZITfalse
      17.251.231.224
      unknownUnited States
      714APPLE-ENGINEERINGUSfalse
      246.229.188.194
      unknownReserved
      unknownunknownfalse
      169.143.167.214
      unknownUnited States
      26121JEPPESENUSfalse
      58.200.126.102
      unknownChina
      4538ERX-CERNET-BKBChinaEducationandResearchNetworkCenterfalse
      112.62.71.0
      unknownChina
      56040CMNET-GUANGDONG-APChinaMobilecommunicationscorporationfalse
      212.192.40.64
      unknownRussian Federation
      8411OmskStateUniversityofFMDostoevskyRUfalse
      71.101.175.126
      unknownUnited States
      701UUNETUSfalse
      102.101.70.174
      unknownMorocco
      36925ASMediMAfalse
      85.34.217.17
      unknownItaly
      3269ASN-IBSNAZITfalse
      84.4.51.252
      unknownFrance
      8228CEGETEL-ASFRfalse
      151.250.59.213
      unknownTurkey
      34984TELLCOM-ASTRfalse
      39.27.35.122
      unknownKorea Republic of
      4766KIXS-AS-KRKoreaTelecomKRfalse
      66.249.208.7
      unknownUnited States
      263783TelefonicaMovilesElSalvadorSAdeCVSVfalse
      189.149.208.100
      unknownMexico
      8151UninetSAdeCVMXfalse
      148.88.191.96
      unknownUnited Kingdom
      786JANETJiscServicesLimitedGBfalse
      75.254.245.174
      unknownUnited States
      22394CELLCOUSfalse
      126.71.54.80
      unknownJapan17676GIGAINFRASoftbankBBCorpJPfalse
      63.82.137.206
      unknownUnited States
      22530DLKCOREUSfalse
      13.183.171.172
      unknownUnited States
      7018ATT-INTERNET4USfalse
      63.34.62.30
      unknownUnited States
      16509AMAZON-02USfalse
      16.128.90.54
      unknownUnited States
      unknownunknownfalse
      164.68.58.122
      unknownUnited States
      33491COMCAST-33491USfalse
      14.9.218.72
      unknownJapan2516KDDIKDDICORPORATIONJPfalse
      19.31.71.136
      unknownUnited States
      3MIT-GATEWAYSUSfalse
      154.232.39.223
      unknownCote D'ivoire
      36974AFNET-ASCIfalse
      121.240.24.72
      unknownIndia
      4755TATACOMM-ASTATACommunicationsformerlyVSNLisLeadingISPfalse
      125.230.178.235
      unknownTaiwan; Republic of China (ROC)
      3462HINETDataCommunicationBusinessGroupTWfalse
      126.97.253.94
      unknownJapan17676GIGAINFRASoftbankBBCorpJPfalse
      43.80.136.150
      unknownJapan4249LILLY-ASUSfalse
      148.82.30.56
      unknownNorway
      2116ASN-CATCHCOMNOfalse
      32.219.167.7
      unknownUnited States
      46690SNET-FCCUSfalse
      203.69.188.213
      unknownTaiwan; Republic of China (ROC)
      3462HINETDataCommunicationBusinessGroupTWfalse
      182.12.230.65
      unknownIndonesia
      23693TELKOMSEL-ASN-IDPTTelekomunikasiSelularIDfalse
      178.166.54.39
      unknownPortugal
      12353VODAFONE-PTVodafonePortugalPTfalse
      123.43.115.37
      unknownKorea Republic of
      6619SAMSUNGSDS-AS-KRSamsungSDSIncKRfalse
      139.3.152.138
      unknownGermany
      15486MATERNA-ASDEfalse
      197.136.200.27
      unknownKenya
      36914KENET-ASKEfalse
      90.199.44.81
      unknownUnited Kingdom
      5607BSKYB-BROADBAND-ASGBfalse
      72.97.169.72
      unknownUnited States
      22394CELLCOUSfalse
      163.34.66.70
      unknownNorway
      2830MCI-DUAL-HOMED-CUSTOMERSGBfalse
      39.250.54.83
      unknownIndonesia
      23693TELKOMSEL-ASN-IDPTTelekomunikasiSelularIDfalse
      120.159.142.193
      unknownAustralia
      135887TELSTRA-BELONG-APTelstraCorporationAUfalse
      98.64.51.118
      unknownUnited States
      11351TWC-11351-NORTHEASTUSfalse
      17.225.120.248
      unknownUnited States
      714APPLE-ENGINEERINGUSfalse
      136.134.215.169
      unknownUnited States
      60311ONEFMCHfalse
      252.178.25.110
      unknownReserved
      unknownunknownfalse
      27.55.158.39
      unknownThailand
      132061REALMOVE-AS-APRealmoveCompanyLimitedTHfalse
      88.188.222.189
      unknownFrance
      12322PROXADFRfalse
      54.61.128.52
      unknownUnited States
      14618AMAZON-AESUSfalse
      141.179.46.50
      unknownSaudi Arabia
      197921HBTFJOfalse
      180.93.201.254
      unknownViet Nam
      7602SPT-AS-VNSaigonPostelCorporationVNfalse
      196.163.215.25
      unknownSouth Africa
      328065Vast-Networks-ASZAfalse
      253.163.201.180
      unknownReserved
      unknownunknownfalse
      12.99.29.172
      unknownUnited States
      7018ATT-INTERNET4USfalse
      150.203.102.36
      unknownAustralia
      7575AARNET-AS-APAustralianAcademicandResearchNetworkAARNefalse
      192.184.168.97
      unknownUnited States
      7065SONOMAUSfalse
      158.221.30.171
      unknownUnited States
      8556LEVANTISCHfalse
      207.139.218.205
      unknownUnited States
      701UUNETUSfalse
      121.106.141.196
      unknownJapan2516KDDIKDDICORPORATIONJPfalse
      123.211.244.90
      unknownAustralia
      1221ASN-TELSTRATelstraCorporationLtdAUfalse
      241.191.141.51
      unknownReserved
      unknownunknownfalse
      117.27.93.243
      unknownChina
      133776CHINATELECOM-FUJIAN-QUANZHOU-IDC1QuanzhouCNfalse
      242.69.219.211
      unknownReserved
      unknownunknownfalse
      154.128.36.72
      unknownEgypt
      37069MOBINILEGfalse
      135.162.207.106
      unknownUnited States
      14962NCR-252USfalse
      133.164.200.47
      unknownJapan11363FUJITSU-USAUSfalse
      194.192.157.80
      unknownDenmark
      3292TDCTDCASDKfalse
      34.39.115.118
      unknownUnited States
      2686ATGS-MMD-ASUSfalse
      14.201.38.78
      unknownAustralia
      7545TPG-INTERNET-APTPGTelecomLimitedAUfalse
      97.58.156.221
      unknownUnited States
      22394CELLCOUSfalse
      133.18.186.30
      unknownJapan24282KIRKAGOYAJAPANIncJPfalse
      72.249.127.250
      unknownUnited States
      55045TEKTONICUSfalse
      83.106.154.9
      unknownUnited Kingdom
      2529DEMON-INTERNETNowmaintainedbyCableWirelessWorldwidefalse
      173.254.89.32
      unknownUnited States
      46606UNIFIEDLAYER-AS-1USfalse
      216.167.124.0
      unknownUnited States
      2914NTT-COMMUNICATIONS-2914USfalse
      165.188.193.247
      unknownUnited States
      7046RFC2270-UUNET-CUSTOMERUSfalse
      188.194.255.126
      unknownGermany
      31334KABELDEUTSCHLAND-ASDEtrue
      34.11.95.205
      unknownUnited States
      2686ATGS-MMD-ASUSfalse
      197.44.77.126
      unknownEgypt
      8452TE-ASTE-ASEGfalse
      208.251.30.111
      unknownUnited States
      4208THE-ISERV-COMPANYUSfalse
      101.122.220.109
      unknownChina
      133612VODAFONE-AS-APVodafoneAustraliaPtyLtdAUfalse
      218.62.23.71
      unknownChina
      4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNfalse
      220.188.110.53
      unknownChina
      4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
      182.224.230.163
      unknownKorea Republic of
      17858POWERVIS-AS-KRLGPOWERCOMMKRfalse
      16.156.54.149
      unknownUnited States
      unknownunknownfalse
      63.237.52.235
      unknownUnited States
      209CENTURYLINK-US-LEGACY-QWESTUSfalse
      83.142.228.128
      unknownUnited Kingdom
      20860IOMART-ASGBfalse
      252.23.58.9
      unknownReserved
      unknownunknownfalse
      45.161.168.68
      unknownArgentina
      265751CooperativadeProvisiondeObrasyServiciosPublicosdeBafalse
      71.232.108.2
      unknownUnited States
      7922COMCAST-7922USfalse
      126.92.157.231
      unknownJapan17676GIGAINFRASoftbankBBCorpJPfalse
      250.53.43.75
      unknownReserved
      unknownunknownfalse


      Runtime Messages

      Command:/tmp/ovLjmo5UoE
      Exit Code:0
      Exit Code Info:
      Killed:False
      Standard Output:
      Connected To CNC
      Standard Error:

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASN

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      HBTFJOrnQYDw7A4GGet hashmaliciousBrowse
      • 141.179.178.40
      qiJTsutSGdGet hashmaliciousBrowse
      • 141.128.59.194
      networkmanagerGet hashmaliciousBrowse
      • 141.128.58.33
      SWISSCOMSwisscomSwitzerlandLtdCHU1R7Ed7940Get hashmaliciousBrowse
      • 92.104.24.14
      Xr3hmBQcmwGet hashmaliciousBrowse
      • 199.58.15.29
      eAtDhymLzpGet hashmaliciousBrowse
      • 170.17.254.65
      StyBaUxNYqGet hashmaliciousBrowse
      • 170.17.254.76
      tPzL0MlKIoGet hashmaliciousBrowse
      • 164.128.83.121
      7Pvt6Jni6pGet hashmaliciousBrowse
      • 178.174.84.95
      BWG6npgduPGet hashmaliciousBrowse
      • 188.63.207.147
      FawDB415Y0Get hashmaliciousBrowse
      • 164.213.217.106
      9Rka7BK2rIGet hashmaliciousBrowse
      • 83.76.95.84
      Xlojlgo2gbGet hashmaliciousBrowse
      • 161.78.252.122
      wZ6O9wSQ4eGet hashmaliciousBrowse
      • 146.4.138.25
      popsmoke.mpslGet hashmaliciousBrowse
      • 85.4.56.40
      popsmoke.mpslGet hashmaliciousBrowse
      • 85.4.129.193
      NJrrXRv8zVGet hashmaliciousBrowse
      • 199.58.15.19
      0aC0TBcdxbGet hashmaliciousBrowse
      • 62.202.137.210
      packa.....(1).exeGet hashmaliciousBrowse
      • 194.209.26.19
      8UsA.shGet hashmaliciousBrowse
      • 164.194.71.73
      rIbyGX66OpGet hashmaliciousBrowse
      • 46.14.87.211
      wEcncyxrEeGet hashmaliciousBrowse
      • 193.247.145.159
      v22Pc0qA.doc.docGet hashmaliciousBrowse
      • 194.209.195.106
      ATT-MOBILITY-LLC-AS20057USLyxN1ckWTWGet hashmaliciousBrowse
      • 32.177.92.64
      oEF7GAiRIgGet hashmaliciousBrowse
      • 107.239.189.255
      GEso3CniSkGet hashmaliciousBrowse
      • 107.126.232.108
      VGi1EK6T17Get hashmaliciousBrowse
      • 107.238.216.59
      C4PozjQdGEGet hashmaliciousBrowse
      • 166.135.156.175
      kb5IbEJU8cGet hashmaliciousBrowse
      • 155.167.205.95
      Xr3hmBQcmwGet hashmaliciousBrowse
      • 107.89.110.96
      SUpODCSauSGet hashmaliciousBrowse
      • 107.80.66.77
      rxfttQnoO5Get hashmaliciousBrowse
      • 32.179.93.22
      TFG18FA4eDGet hashmaliciousBrowse
      • 32.179.205.98
      YazlX01sZDGet hashmaliciousBrowse
      • 166.131.98.187
      IYmbrE4LVNGet hashmaliciousBrowse
      • 107.235.32.36
      7Pvt6Jni6pGet hashmaliciousBrowse
      • 107.84.32.16
      wZ6O9wSQ4eGet hashmaliciousBrowse
      • 166.203.93.113
      Z7bNxhhS7yGet hashmaliciousBrowse
      • 166.173.75.114
      Ebex99BzzwGet hashmaliciousBrowse
      • 107.238.216.34
      Rl9KiguX35Get hashmaliciousBrowse
      • 166.208.166.27
      o0z4JJpYNfGet hashmaliciousBrowse
      • 166.206.214.209
      XPChvE6GQdGet hashmaliciousBrowse
      • 32.191.153.155
      8UsA.shGet hashmaliciousBrowse
      • 107.84.32.11
      BHARTI-MOBILITY-AS-APBhartiAirtelLtdASforGPRSServices54l0GKMh9Get hashmaliciousBrowse
      • 106.199.18.119
      XuQRPW44hiGet hashmaliciousBrowse
      • 27.62.7.11
      5qpsqg7U0GGet hashmaliciousBrowse
      • 106.216.219.55
      Qka3fi8NpLGet hashmaliciousBrowse
      • 182.66.53.126
      SUpODCSauSGet hashmaliciousBrowse
      • 106.193.85.203
      CGjf615z6vGet hashmaliciousBrowse
      • 106.202.148.183
      eAtDhymLzpGet hashmaliciousBrowse
      • 106.199.110.165
      FawDB415Y0Get hashmaliciousBrowse
      • 223.191.224.241
      sap7ltEdFxGet hashmaliciousBrowse
      • 223.237.42.14
      Vk3A1yJJMgGet hashmaliciousBrowse
      • 223.179.202.232
      471u0A1FPwGet hashmaliciousBrowse
      • 182.67.0.255
      9Rka7BK2rIGet hashmaliciousBrowse
      • 223.189.108.131
      FN0ZF2Nm21Get hashmaliciousBrowse
      • 27.56.113.237
      YXYFqHRx2mGet hashmaliciousBrowse
      • 106.223.19.235
      eubqHHIQkcGet hashmaliciousBrowse
      • 106.200.18.85
      iGet hashmaliciousBrowse
      • 106.206.253.40
      er5c5eUn.exeGet hashmaliciousBrowse
      • 106.214.237.83
      iGet hashmaliciousBrowse
      • 223.187.54.231
      IMG001.exeGet hashmaliciousBrowse
      • 171.49.33.151
      1.shGet hashmaliciousBrowse
      • 182.66.161.218

      JA3 Fingerprints

      No context

      Dropped Files

      No context