Play interactive tour

Edit tour

Linux Analysis Report ovLjmo5UoE

Overview

General Information

Sample Name:	ovLjmo5UoE
Analysis ID:	452448
MD5:	96468aa8293a504d9431860381691baf
SHA1:	a2e7baff712d4a1a41b2b83f60e0afcbaa774190
SHA256:	6596ffeba4d8ea7bc59db3f41d511c1241263f9dd3c01a5657c89279bc8c4fd5
Tags:	32elfmipsmirai
Infos:

Detection

Mirai

Score:	76
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Mirai

Opens /sys/class/net/* files useful for querying network interface information

Sample is packed with UPX

Sample tries to kill many processes (SIGKILL)

Creates hidden files and/or directories

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Reads system information from the proc file system

Sample contains only a LOAD segment without any section mappings

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine

Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	452448
Start date:	22.07.2021
Start time:	11:25:16
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 44s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	ovLjmo5UoE
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Analysis Mode:	default
Detection:	MAL
Classification:	mal76.spre.troj.spyw.evad.lin@0/8@0/0
Warnings:	Show All Excluded IPs from analysis (whitelisted): 91.189.92.39, 91.189.92.19, 91.189.92.40, 91.189.92.38, 91.189.92.20, 91.189.92.41 TCP Packets have been reduced to 100 Excluded domains from analysis (whitelisted): api.snapcraft.io Report size exceeded maximum capacity and may have missing network information.

Process Tree

system is lnxubuntu1

ovLjmo5UoE (PID: 4571, Parent: 4498, MD5: 96468aa8293a504d9431860381691baf) Arguments: /usr/bin/qemu-mips /tmp/ovLjmo5UoE

ovLjmo5UoE New Fork (PID: 4586, Parent: 4571)

ovLjmo5UoE New Fork (PID: 4587, Parent: 4571)

ovLjmo5UoE New Fork (PID: 4588, Parent: 4571)

ovLjmo5UoE New Fork (PID: 4590, Parent: 4588)

ovLjmo5UoE New Fork (PID: 4591, Parent: 4588)

ovLjmo5UoE New Fork (PID: 4592, Parent: 4588)

systemd New Fork (PID: 4602, Parent: 1)

sshd (PID: 4602, Parent: 1, MD5: 661b2a2da3b6c7d7ef41d0b9da1caa3b) Arguments: /usr/sbin/sshd -D

systemd New Fork (PID: 4614, Parent: 1)

NetworkManager (PID: 4614, Parent: 1, MD5: 43dcb4efce9c2c522442ae62538bf659) Arguments: /usr/sbin/NetworkManager --no-daemon

systemd New Fork (PID: 4628, Parent: 1)

nm-online (PID: 4628, Parent: 1, MD5: ac72f7c256e548d273a5133a245a1638) Arguments: /usr/bin/nm-online -s -q --timeout=30

systemd New Fork (PID: 4641, Parent: 1)

nm-dispatcher (PID: 4641, Parent: 1, MD5: 7d4ef829ade49b564256f3f295f9c826) Arguments: /usr/lib/NetworkManager/nm-dispatcher

nm-dispatcher New Fork (PID: 4665, Parent: 4641)

01ifupdown (PID: 4665, Parent: 4641, MD5: 299819a8e64f00a1edbdfc99d05a8594) Arguments: /bin/sh -e /etc/NetworkManager/dispatcher.d/01ifupdown none hostname

systemd New Fork (PID: 4654, Parent: 1)

systemd-hostnamed (PID: 4654, Parent: 1, MD5: b05764f1a40963131ea2e1cd585f4139) Arguments: /lib/systemd/systemd-hostnamed

systemd New Fork (PID: 4679, Parent: 1)

snapd (PID: 4679, Parent: 1, MD5: 416402f94a949af355c09e8bccfa0eb0) Arguments: /usr/lib/snapd/snapd

systemd New Fork (PID: 4698, Parent: 1)

iscsiadm (PID: 4698, Parent: 1, MD5: b9363fe8099be776e324a481e209d7c4) Arguments: /sbin/iscsiadm -k 0 2

systemd New Fork (PID: 4722, Parent: 1)

sshd (PID: 4722, Parent: 1, MD5: 661b2a2da3b6c7d7ef41d0b9da1caa3b) Arguments: /usr/sbin/sshd -D

systemd New Fork (PID: 4776, Parent: 1)

systemd-hostnamed (PID: 4776, Parent: 1, MD5: b05764f1a40963131ea2e1cd585f4139) Arguments: /lib/systemd/systemd-hostnamed

systemd New Fork (PID: 4799, Parent: 1)

snapd (PID: 4799, Parent: 1, MD5: 416402f94a949af355c09e8bccfa0eb0) Arguments: /usr/lib/snapd/snapd

systemd New Fork (PID: 4818, Parent: 1)

sshd (PID: 4818, Parent: 1, MD5: 661b2a2da3b6c7d7ef41d0b9da1caa3b) Arguments: /usr/sbin/sshd -D

cleanup

Yara Overview

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Mirai_12	Yara detected Mirai	Joe Security

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: ovLjmo5UoE	Virustotal: Detection: 39%			Perma Link
Source: ovLjmo5UoE	ReversingLabs: Detection: 35%

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.206.52.202: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 216.46.140.130: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.141.18.252: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.158.189.216: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.14.137.207: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.187.182.10: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 185.53.43.149: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.76.107.76: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.39.133.145: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.210.184.202: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.105.217.37: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 38.145.126.167: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 212.38.200.14: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 150.140.128.36: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 164.82.21.30: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 83.252.195.75:23 -> 192.168.2.20:57730
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 83.252.195.75:23 -> 192.168.2.20:57730
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 118.89.161.22: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 94.221.176.245: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.1.101.23: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 157.131.120.253: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 117.79.147.220: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 109.3.180.221: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 94.222.50.234: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.202.93.158: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.104.94.160: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.133.14.18: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 76.182.2.23: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 38.77.33.105: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 50.242.148.249: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 104.164.211.67: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.220.238.22: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.3.103.127: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 31.16.228.55: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 71.71.149.239: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.236.99.217: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 165.156.24.254: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 123.28.129.115:23 -> 192.168.2.20:52144
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 123.28.129.115:23 -> 192.168.2.20:52144
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 83.252.195.75:23 -> 192.168.2.20:57756
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 83.252.195.75:23 -> 192.168.2.20:57756
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.115.194.8:23 -> 192.168.2.20:40118
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.115.194.8:23 -> 192.168.2.20:40118
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 109.91.209.23: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 213.162.131.61: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 41.182.170.84: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.3.9.19: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 62.15.101.176: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.78.164.87: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 112.161.50.31:23 -> 192.168.2.20:57270
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.189.50.150: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 95.249.251.103: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.68.16.151: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.226.132.37: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.151.208.202: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 46.244.183.161: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.80.223.124: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.238.179.2: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.204.86.30: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 178.250.156.79: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 50.220.200.185: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.216.34.60: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 112.161.50.31:23 -> 192.168.2.20:57270
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 112.161.50.31:23 -> 192.168.2.20:57270
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.136.107.165: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 80.138.182.105: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.212.95.148: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 83.252.195.75:23 -> 192.168.2.20:57784
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 83.252.195.75:23 -> 192.168.2.20:57784
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 81.187.31.248: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.115.194.8:23 -> 192.168.2.20:40152
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.115.194.8:23 -> 192.168.2.20:40152
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 185.210.144.142: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 156.225.40.8: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 46.86.223.11: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.58.81.50: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 66.235.40.90: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.46.32.7: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 94.223.78.97: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.62.111.39: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.185.200.139: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.181.61.244: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.67.205.104: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 37.138.6.248: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 211.0.203.166: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 42.146.38.252: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 83.171.165.105: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.79.228.83: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.38.92.86: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.104.29.28: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 112.161.50.31:23 -> 192.168.2.20:57308
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 46.93.104.118: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 45.11.167.168: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 24.102.240.129: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 83.252.195.75:23 -> 192.168.2.20:57816
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 83.252.195.75:23 -> 192.168.2.20:57816
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.207.34.90: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 2.205.109.8: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 195.123.196.60: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.115.194.8:23 -> 192.168.2.20:40184
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.115.194.8:23 -> 192.168.2.20:40184
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 112.161.50.31:23 -> 192.168.2.20:57308
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 112.161.50.31:23 -> 192.168.2.20:57308
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.59.157.50: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.96.225.243: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 31.16.49.61: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 24.137.116.218: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 24.10.109.92: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 80.145.21.207: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.237.204.118: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 14.205.250.146:23 -> 192.168.2.20:45122
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 95.112.224.39: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 146.113.182.29: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 104.149.41.166: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 37.19.192.13: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 104.165.165.188: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 187.63.81.2: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.6.113.226: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.171.215.10: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 107.149.132.212: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 14.205.250.146:23 -> 192.168.2.20:45122
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 14.205.250.146:23 -> 192.168.2.20:45122
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.136.46.130: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 73.17.215.33: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 104.246.110.169: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 38.145.68.165: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.166.253: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 83.252.195.75:23 -> 192.168.2.20:57852
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 83.252.195.75:23 -> 192.168.2.20:57852
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 47.224.244.56: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 112.161.50.31:23 -> 192.168.2.20:57366
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.100.61.125: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 83.160.80.8: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.115.194.8:23 -> 192.168.2.20:40226
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.115.194.8:23 -> 192.168.2.20:40226
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.157.94.131: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.14.173.31: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 61.148.75.14: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.167.57: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 112.161.50.31:23 -> 192.168.2.20:57366
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 112.161.50.31:23 -> 192.168.2.20:57366
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.51.143.97: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 46.93.25.85: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.102.145.203: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 81.173.229.53: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.10.241.39: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.58.29.45: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 14.205.250.146:23 -> 192.168.2.20:45200
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 123.28.129.115:23 -> 192.168.2.20:52292
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 123.28.129.115:23 -> 192.168.2.20:52292
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 80.136.42.131: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.142.28.175: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.245.68.10: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 58.229.25.130: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.213.239.9: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 66.216.100.81: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 83.252.195.75:23 -> 192.168.2.20:57928
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 83.252.195.75:23 -> 192.168.2.20:57928
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.73.183.10: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 78.54.50.116: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.189.53.52: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 14.205.250.146:23 -> 192.168.2.20:45200
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 14.205.250.146:23 -> 192.168.2.20:45200
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.236.103.122: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.245.37.209: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 142.11.200.85: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.132.71.234: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 139.162.188.160: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.115.194.8:23 -> 192.168.2.20:40300
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.115.194.8:23 -> 192.168.2.20:40300
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.213.231.118: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.165.189: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 112.161.50.31:23 -> 192.168.2.20:57434
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.228.249.207: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.96.189.198: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 168.138.51.252: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.227.139.98: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 81.197.74.218: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 172.22.1.1: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 112.161.50.31:23 -> 192.168.2.20:57434
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 112.161.50.31:23 -> 192.168.2.20:57434
Source: Traffic	Snort IDS: 716 INFO TELNET access 14.205.250.146:23 -> 192.168.2.20:45258
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 83.252.195.75:23 -> 192.168.2.20:57962
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 83.252.195.75:23 -> 192.168.2.20:57962
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.202.108.214: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.115.181: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.8.159.180: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.194.176.76: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.249.86.56: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.72.15.221: -> 192.168.2.20:
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 110.180.175.139:23 -> 192.168.2.20:42776
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.66.180.226: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.217.91.154: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 14.205.250.146:23 -> 192.168.2.20:45258
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 14.205.250.146:23 -> 192.168.2.20:45258
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 213.247.84.154: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.115.194.8:23 -> 192.168.2.20:40348
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.115.194.8:23 -> 192.168.2.20:40348
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.235.155.18: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.103.225.23: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.94.119.124: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.210.183.138: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 85.237.181.159: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 156.238.212.60: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.201.158.49: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.192.226.58: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 94.217.23.68: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.194.255.126: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 208.83.33.178: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 210.1.58.221: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 114.38.72.71: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.168.121: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 111.240.194.130: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 112.161.50.31:23 -> 192.168.2.20:57494
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 62.100.194.137: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.180.174.88: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 2.206.15.128: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 104.200.173.31: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 83.252.195.75:23 -> 192.168.2.20:58000
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 83.252.195.75:23 -> 192.168.2.20:58000
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 220.247.116.79: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 216.170.72.61: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.222.255.248: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.6.123.199: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 89.14.146.24: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 66.90.157.37: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 14.205.250.146:23 -> 192.168.2.20:45318
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.253.201.62: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 141.98.40.196: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 112.161.50.31:23 -> 192.168.2.20:57494
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 112.161.50.31:23 -> 192.168.2.20:57494
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.3.109.160: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.115.194.8:23 -> 192.168.2.20:40398
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.115.194.8:23 -> 192.168.2.20:40398
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.59.125.43: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 45.50.201.121: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 14.205.250.146:23 -> 192.168.2.20:45318
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 14.205.250.146:23 -> 192.168.2.20:45318
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 45.38.242.95: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.61.112.131: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.96.135.46: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.169.218.117: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 193.38.231.77: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 222.227.12.140: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.22.190.149: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.157.99.174: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 213.209.83.237: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 94.218.117.210: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 185.54.120.139: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 95.33.241.210: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.157.1.253: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 198.72.198.235: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2023434 ET TROJAN Possible Linux.Mirai Login Attempt (7ujMko0vizxv) 192.168.2.20:52194 -> 91.84.219.112:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 83.252.195.75:23 -> 192.168.2.20:58076
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 83.252.195.75:23 -> 192.168.2.20:58076
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 80.136.120.190: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 186.236.190.82: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 222.124.62.149:23 -> 192.168.2.20:54750
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.85.172.143: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 83.215.42.54: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 174.104.201.70: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 139.162.85.233: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 2.243.43.164: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.229.179.132: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 68.53.85.3: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.8.221.169:23 -> 192.168.2.20:48746
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 85.190.179.205: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 123.28.129.115:23 -> 192.168.2.20:52476
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 123.28.129.115:23 -> 192.168.2.20:52476
Source: Traffic	Snort IDS: 716 INFO TELNET access 112.161.50.31:23 -> 192.168.2.20:57590
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 78.34.156.149: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.14.37.249: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 14.205.250.146:23 -> 192.168.2.20:45386
Source: Traffic	Snort IDS: 2023449 ET TROJAN Possible Linux.Mirai Login Attempt (vizxv) 192.168.2.20:52222 -> 91.84.219.112:23
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 122.14.200.176: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 201.91.97.198: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.115.194.8:23 -> 192.168.2.20:40456
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.115.194.8:23 -> 192.168.2.20:40456
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 80.132.152.81: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.211.98.249: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.232.103.205: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.255.80.14: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.217.41.160: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.26.127.38: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 80.178.217.39:23 -> 192.168.2.20:50378
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 80.178.217.39:23 -> 192.168.2.20:50378
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.8.221.169:23 -> 192.168.2.20:48780
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 103.242.0.226: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 168.95.22.153: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 14.205.250.146:23 -> 192.168.2.20:45386
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 14.205.250.146:23 -> 192.168.2.20:45386
Source: Traffic	Snort IDS: 2023433 ET TROJAN Possible Linux.Mirai Login Attempt (7ujMko0admin) 192.168.2.20:52252 -> 91.84.219.112:23
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 193.80.96.224: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 94.217.127.79: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 2.203.183.81: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 83.252.195.75:23 -> 192.168.2.20:58118
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 83.252.195.75:23 -> 192.168.2.20:58118
Source: Traffic	Snort IDS: 716 INFO TELNET access 177.8.221.169:23 -> 192.168.2.20:48804
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.213.211.209: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 212.117.93.90: -> 192.168.2.20:

Opens /sys/class/net/* files useful for querying network interface information

Show sources

Source: /usr/sbin/NetworkManager (PID: 4614)	Opens: /sys/class/net/ens160/uevent
Source: /usr/sbin/NetworkManager (PID: 4614)	Opens: /sys/class/net/
Source: /usr/sbin/NetworkManager (PID: 4614)	Opens: /sys/class/net/ens160/phys_port_id
Source: /usr/sbin/NetworkManager (PID: 4614)	Opens: /sys/class/net/ens160/dev_id
Source: /usr/sbin/NetworkManager (PID: 4614)	Opens: /sys/class/net/lo/phys_port_id
Source: /usr/sbin/NetworkManager (PID: 4614)	Opens: /sys/class/net/lo/dev_id

Source: global traffic

TCP traffic: 192.168.2.20:35686 -> 37.230.137.227:1312

Source: /tmp/ovLjmo5UoE (PID: 4586)	Socket: 0.0.0.0::0
Source: /tmp/ovLjmo5UoE (PID: 4586)	Socket: 0.0.0.0::23
Source: /tmp/ovLjmo5UoE (PID: 4586)	Socket: 0.0.0.0::53413
Source: /tmp/ovLjmo5UoE (PID: 4586)	Socket: 0.0.0.0::80
Source: /tmp/ovLjmo5UoE (PID: 4586)	Socket: 0.0.0.0::52869
Source: /tmp/ovLjmo5UoE (PID: 4586)	Socket: 0.0.0.0::37215
Source: /tmp/ovLjmo5UoE (PID: 4590)	Socket: 0.0.0.0::0
Source: /tmp/ovLjmo5UoE (PID: 4590)	Socket: 0.0.0.0::23
Source: /tmp/ovLjmo5UoE (PID: 4590)	Socket: 0.0.0.0::53413
Source: /tmp/ovLjmo5UoE (PID: 4590)	Socket: 0.0.0.0::80
Source: /tmp/ovLjmo5UoE (PID: 4590)	Socket: 0.0.0.0::52869
Source: /tmp/ovLjmo5UoE (PID: 4590)	Socket: 0.0.0.0::37215
Source: /usr/sbin/sshd (PID: 4602)	Socket: 0.0.0.0::22
Source: /usr/sbin/sshd (PID: 4602)	Socket: [::]::22
Source: /usr/sbin/sshd (PID: 4722)	Socket: 0.0.0.0::22
Source: /usr/sbin/sshd (PID: 4722)	Socket: [::]::22
Source: /usr/sbin/sshd (PID: 4818)	Socket: 0.0.0.0::22
Source: /usr/sbin/sshd (PID: 4818)	Socket: [::]::22

Source: unknown	TCP traffic detected without corresponding DNS query: 76.213.67.173
Source: unknown	TCP traffic detected without corresponding DNS query: 179.205.5.65
Source: unknown	TCP traffic detected without corresponding DNS query: 61.153.233.170
Source: unknown	TCP traffic detected without corresponding DNS query: 207.227.209.173
Source: unknown	TCP traffic detected without corresponding DNS query: 171.78.44.24
Source: unknown	TCP traffic detected without corresponding DNS query: 106.127.255.204
Source: unknown	TCP traffic detected without corresponding DNS query: 58.226.155.34
Source: unknown	TCP traffic detected without corresponding DNS query: 246.232.49.78
Source: unknown	TCP traffic detected without corresponding DNS query: 191.41.100.141
Source: unknown	TCP traffic detected without corresponding DNS query: 2.185.178.168
Source: unknown	TCP traffic detected without corresponding DNS query: 84.123.113.61
Source: unknown	TCP traffic detected without corresponding DNS query: 44.158.120.198
Source: unknown	TCP traffic detected without corresponding DNS query: 142.213.109.21
Source: unknown	TCP traffic detected without corresponding DNS query: 93.53.253.241
Source: unknown	TCP traffic detected without corresponding DNS query: 108.134.218.175
Source: unknown	TCP traffic detected without corresponding DNS query: 146.224.14.156
Source: unknown	TCP traffic detected without corresponding DNS query: 61.108.93.79
Source: unknown	TCP traffic detected without corresponding DNS query: 180.78.14.186
Source: unknown	TCP traffic detected without corresponding DNS query: 201.244.205.166
Source: unknown	TCP traffic detected without corresponding DNS query: 98.36.135.212
Source: unknown	TCP traffic detected without corresponding DNS query: 168.174.231.242
Source: unknown	TCP traffic detected without corresponding DNS query: 123.232.167.199
Source: unknown	TCP traffic detected without corresponding DNS query: 9.195.127.44
Source: unknown	TCP traffic detected without corresponding DNS query: 179.156.207.215
Source: unknown	TCP traffic detected without corresponding DNS query: 116.218.236.8
Source: unknown	TCP traffic detected without corresponding DNS query: 169.217.183.31
Source: unknown	TCP traffic detected without corresponding DNS query: 106.32.83.100
Source: unknown	TCP traffic detected without corresponding DNS query: 247.61.232.15
Source: unknown	TCP traffic detected without corresponding DNS query: 195.56.215.241
Source: unknown	TCP traffic detected without corresponding DNS query: 57.192.68.113
Source: unknown	TCP traffic detected without corresponding DNS query: 149.42.143.229
Source: unknown	TCP traffic detected without corresponding DNS query: 172.233.225.100
Source: unknown	TCP traffic detected without corresponding DNS query: 183.204.18.102
Source: unknown	TCP traffic detected without corresponding DNS query: 2.162.159.163
Source: unknown	TCP traffic detected without corresponding DNS query: 59.115.76.5
Source: unknown	TCP traffic detected without corresponding DNS query: 13.205.47.249
Source: unknown	TCP traffic detected without corresponding DNS query: 47.80.23.223
Source: unknown	TCP traffic detected without corresponding DNS query: 244.162.61.181
Source: unknown	TCP traffic detected without corresponding DNS query: 80.181.253.238
Source: unknown	TCP traffic detected without corresponding DNS query: 120.0.37.110
Source: unknown	TCP traffic detected without corresponding DNS query: 17.113.161.8
Source: unknown	TCP traffic detected without corresponding DNS query: 174.139.81.39
Source: unknown	TCP traffic detected without corresponding DNS query: 243.213.237.102
Source: unknown	TCP traffic detected without corresponding DNS query: 207.118.80.185
Source: unknown	TCP traffic detected without corresponding DNS query: 183.175.49.51
Source: unknown	TCP traffic detected without corresponding DNS query: 159.136.86.95
Source: unknown	TCP traffic detected without corresponding DNS query: 69.194.204.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.5.236.115
Source: unknown	TCP traffic detected without corresponding DNS query: 37.230.137.227
Source: unknown	TCP traffic detected without corresponding DNS query: 76.181.217.1

Source: ovLjmo5UoE

String found in binary or memory: http://upx.sf.net

System Summary:

Sample tries to kill many processes (SIGKILL)

Show sources

Source: /tmp/ovLjmo5UoE (PID: 4586)	SIGKILL sent: pid: 1339, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 4586, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 1059, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 1065, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 1091, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 1362, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 1363, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 3289, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 3308, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 3484, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 3491, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 3496, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 3501, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 3596, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 3601, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 3606, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 3611, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 3616, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 3790, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 3791, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 4592, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 4602, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 4614, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 4679, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 4722, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 4590, result: successful

Source: LOAD without section mappings

Program segment: 0x100000

Source: /tmp/ovLjmo5UoE (PID: 4586)	SIGKILL sent: pid: 1339, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 4586, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 1059, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 1065, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 1091, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 1362, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 1363, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 3289, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 3308, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 3484, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 3491, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 3496, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 3501, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 3596, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 3601, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 3606, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 3611, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 3616, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 3790, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 3791, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 4592, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 4602, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 4614, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 4679, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 4722, result: successful
Source: /tmp/ovLjmo5UoE (PID: 4590)	SIGKILL sent: pid: 4590, result: successful

Source: classification engine

Classification label: mal76.spre.troj.spyw.evad.lin@0/8@0/0

Data Obfuscation:

Sample is packed with UPX

Show sources

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Source: /usr/sbin/NetworkManager (PID: 4614)

Directory: /root/.cache

Jump to behavior

Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/1065/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/1065/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/1065/exe
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3485/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3485/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3485/exe
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3485/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3485/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3484/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3484/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3484/exe
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/1062/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/1062/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/1062/exe
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/1062/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/1062/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3482/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3482/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3482/exe
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3482/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3482/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3481/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3481/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3481/exe
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3481/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3481/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/1060/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/1060/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/1060/exe
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/1060/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/1060/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/1059/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/1059/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/1059/exe
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3479/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3479/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3479/exe
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3479/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3479/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3512/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3512/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3512/exe
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3512/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3512/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3477/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3477/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3477/exe
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3477/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3477/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/1452/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/1452/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/1452/exe
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/1452/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/1452/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/514/exe
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3632/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3632/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3632/exe
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3632/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3632/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/4722/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/4602/exe
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/519/exe
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3518/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3518/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3518/exe
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3518/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3518/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/4586/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/4586/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3497/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3497/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3497/exe
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3497/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3497/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3133/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3133/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3133/exe
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3133/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3133/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3496/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3496/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3496/exe
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/1072/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/1072/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/1072/exe
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/1072/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/1072/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3491/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3491/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3491/exe
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/483/exe
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3527/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3527/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3527/exe
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3527/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3527/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/1/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/1/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/1/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/1/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3525/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3525/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3525/exe
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3525/fd
Source: /tmp/ovLjmo5UoE (PID: 4590)	File opened: /proc/3525/fd

Source: /usr/lib/snapd/snapd (PID: 4679)	Reads from proc file: /proc/sys/net/core/somaxconn	Jump to behavior
Source: /usr/lib/snapd/snapd (PID: 4679)	Reads from proc file: /proc/sys/kernel/hostname	Jump to behavior
Source: /usr/lib/snapd/snapd (PID: 4799)	Reads from proc file: /proc/sys/net/core/somaxconn	Jump to behavior
Source: /usr/lib/snapd/snapd (PID: 4799)	Reads from proc file: /proc/sys/kernel/hostname	Jump to behavior

Source: /tmp/ovLjmo5UoE (PID: 4571)	Queries kernel information via 'uname':
Source: /usr/sbin/NetworkManager (PID: 4614)	Queries kernel information via 'uname':
Source: /lib/systemd/systemd-hostnamed (PID: 4654)	Queries kernel information via 'uname':
Source: /usr/lib/snapd/snapd (PID: 4679)	Queries kernel information via 'uname':
Source: /lib/systemd/systemd-hostnamed (PID: 4776)	Queries kernel information via 'uname':
Source: /usr/lib/snapd/snapd (PID: 4799)	Queries kernel information via 'uname':

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Hidden Files and Directories1	OS Credential Dumping1	Security Software Discovery1	Remote Services	Network Information Discovery1	Exfiltration Over Other Network Medium	Non-Standard Port1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Obfuscated Files or Information1	LSASS Memory	System Information Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ovLjmo5UoE	39%	Virustotal		Browse
ovLjmo5UoE	36%	ReversingLabs	Linux.Trojan.Mirai

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	ovLjmo5UoE	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
212.243.120.245	unknown	Switzerland	60190	EASTMETALSAG-ASCH	false
107.80.78.92	unknown	United States	20057	ATT-MOBILITY-LLC-AS20057US	false
141.183.198.210	unknown	United States	197921	HBTFJO	false
223.183.33.196	unknown	India	45609	BHARTI-MOBILITY-AS-APBhartiAirtelLtdASforGPRSService	false
62.202.137.250	unknown	Switzerland	3303	SWISSCOMSwisscomSwitzerlandLtdCH	false
48.202.252.22	unknown	United States	2686	ATGS-MMD-ASUS	false
57.75.159.0	unknown	Belgium	51964	ORANGE-BUSINESS-SERVICES-IPSN-ASNFR	false
87.12.93.142	unknown	Italy	3269	ASN-IBSNAZIT	false
17.251.231.224	unknown	United States	714	APPLE-ENGINEERINGUS	false
246.229.188.194	unknown	Reserved	unknown	unknown	false
169.143.167.214	unknown	United States	26121	JEPPESENUS	false
58.200.126.102	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false
112.62.71.0	unknown	China	56040	CMNET-GUANGDONG-APChinaMobilecommunicationscorporation	false
212.192.40.64	unknown	Russian Federation	8411	OmskStateUniversityofFMDostoevskyRU	false
71.101.175.126	unknown	United States	701	UUNETUS	false
102.101.70.174	unknown	Morocco	36925	ASMediMA	false
85.34.217.17	unknown	Italy	3269	ASN-IBSNAZIT	false
84.4.51.252	unknown	France	8228	CEGETEL-ASFR	false
151.250.59.213	unknown	Turkey	34984	TELLCOM-ASTR	false
39.27.35.122	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
66.249.208.7	unknown	United States	263783	TelefonicaMovilesElSalvadorSAdeCVSV	false
189.149.208.100	unknown	Mexico	8151	UninetSAdeCVMX	false
148.88.191.96	unknown	United Kingdom	786	JANETJiscServicesLimitedGB	false
75.254.245.174	unknown	United States	22394	CELLCOUS	false
126.71.54.80	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
63.82.137.206	unknown	United States	22530	DLKCOREUS	false
13.183.171.172	unknown	United States	7018	ATT-INTERNET4US	false
63.34.62.30	unknown	United States	16509	AMAZON-02US	false
16.128.90.54	unknown	United States	unknown	unknown	false
164.68.58.122	unknown	United States	33491	COMCAST-33491US	false
14.9.218.72	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
19.31.71.136	unknown	United States	3	MIT-GATEWAYSUS	false
154.232.39.223	unknown	Cote D'ivoire	36974	AFNET-ASCI	false
121.240.24.72	unknown	India	4755	TATACOMM-ASTATACommunicationsformerlyVSNLisLeadingISP	false
125.230.178.235	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
126.97.253.94	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
43.80.136.150	unknown	Japan	4249	LILLY-ASUS	false
148.82.30.56	unknown	Norway	2116	ASN-CATCHCOMNO	false
32.219.167.7	unknown	United States	46690	SNET-FCCUS	false
203.69.188.213	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
182.12.230.65	unknown	Indonesia	23693	TELKOMSEL-ASN-IDPTTelekomunikasiSelularID	false
178.166.54.39	unknown	Portugal	12353	VODAFONE-PTVodafonePortugalPT	false
123.43.115.37	unknown	Korea Republic of	6619	SAMSUNGSDS-AS-KRSamsungSDSIncKR	false
139.3.152.138	unknown	Germany	15486	MATERNA-ASDE	false
197.136.200.27	unknown	Kenya	36914	KENET-ASKE	false
90.199.44.81	unknown	United Kingdom	5607	BSKYB-BROADBAND-ASGB	false
72.97.169.72	unknown	United States	22394	CELLCOUS	false
163.34.66.70	unknown	Norway	2830	MCI-DUAL-HOMED-CUSTOMERSGB	false
39.250.54.83	unknown	Indonesia	23693	TELKOMSEL-ASN-IDPTTelekomunikasiSelularID	false
120.159.142.193	unknown	Australia	135887	TELSTRA-BELONG-APTelstraCorporationAU	false
98.64.51.118	unknown	United States	11351	TWC-11351-NORTHEASTUS	false
17.225.120.248	unknown	United States	714	APPLE-ENGINEERINGUS	false
136.134.215.169	unknown	United States	60311	ONEFMCH	false
252.178.25.110	unknown	Reserved	unknown	unknown	false
27.55.158.39	unknown	Thailand	132061	REALMOVE-AS-APRealmoveCompanyLimitedTH	false
88.188.222.189	unknown	France	12322	PROXADFR	false
54.61.128.52	unknown	United States	14618	AMAZON-AESUS	false
141.179.46.50	unknown	Saudi Arabia	197921	HBTFJO	false
180.93.201.254	unknown	Viet Nam	7602	SPT-AS-VNSaigonPostelCorporationVN	false
196.163.215.25	unknown	South Africa	328065	Vast-Networks-ASZA	false
253.163.201.180	unknown	Reserved	unknown	unknown	false
12.99.29.172	unknown	United States	7018	ATT-INTERNET4US	false
150.203.102.36	unknown	Australia	7575	AARNET-AS-APAustralianAcademicandResearchNetworkAARNe	false
192.184.168.97	unknown	United States	7065	SONOMAUS	false
158.221.30.171	unknown	United States	8556	LEVANTISCH	false
207.139.218.205	unknown	United States	701	UUNETUS	false
121.106.141.196	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
123.211.244.90	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	false
241.191.141.51	unknown	Reserved	unknown	unknown	false
117.27.93.243	unknown	China	133776	CHINATELECOM-FUJIAN-QUANZHOU-IDC1QuanzhouCN	false
242.69.219.211	unknown	Reserved	unknown	unknown	false
154.128.36.72	unknown	Egypt	37069	MOBINILEG	false
135.162.207.106	unknown	United States	14962	NCR-252US	false
133.164.200.47	unknown	Japan	11363	FUJITSU-USAUS	false
194.192.157.80	unknown	Denmark	3292	TDCTDCASDK	false
34.39.115.118	unknown	United States	2686	ATGS-MMD-ASUS	false
14.201.38.78	unknown	Australia	7545	TPG-INTERNET-APTPGTelecomLimitedAU	false
97.58.156.221	unknown	United States	22394	CELLCOUS	false
133.18.186.30	unknown	Japan	24282	KIRKAGOYAJAPANIncJP	false
72.249.127.250	unknown	United States	55045	TEKTONICUS	false
83.106.154.9	unknown	United Kingdom	2529	DEMON-INTERNETNowmaintainedbyCableWirelessWorldwide	false
173.254.89.32	unknown	United States	46606	UNIFIEDLAYER-AS-1US	false
216.167.124.0	unknown	United States	2914	NTT-COMMUNICATIONS-2914US	false
165.188.193.247	unknown	United States	7046	RFC2270-UUNET-CUSTOMERUS	false
188.194.255.126	unknown	Germany	31334	KABELDEUTSCHLAND-ASDE	true
34.11.95.205	unknown	United States	2686	ATGS-MMD-ASUS	false
197.44.77.126	unknown	Egypt	8452	TE-ASTE-ASEG	false
208.251.30.111	unknown	United States	4208	THE-ISERV-COMPANYUS	false
101.122.220.109	unknown	China	133612	VODAFONE-AS-APVodafoneAustraliaPtyLtdAU	false
218.62.23.71	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
220.188.110.53	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
182.224.230.163	unknown	Korea Republic of	17858	POWERVIS-AS-KRLGPOWERCOMMKR	false
16.156.54.149	unknown	United States	unknown	unknown	false
63.237.52.235	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	false
83.142.228.128	unknown	United Kingdom	20860	IOMART-ASGB	false
252.23.58.9	unknown	Reserved	unknown	unknown	false
45.161.168.68	unknown	Argentina	265751	CooperativadeProvisiondeObrasyServiciosPublicosdeBa	false
71.232.108.2	unknown	United States	7922	COMCAST-7922US	false
126.92.157.231	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
250.53.43.75	unknown	Reserved	unknown	unknown	false

Runtime Messages

Command:	/tmp/ovLjmo5UoE
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	Connected To CNC
Standard Error:

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HBTFJO	rnQYDw7A4G	Get hash	malicious	Browse	141.179.178.40
	qiJTsutSGd	Get hash	malicious	Browse	141.128.59.194
	networkmanager	Get hash	malicious	Browse	141.128.58.33
SWISSCOMSwisscomSwitzerlandLtdCH	U1R7Ed7940	Get hash	malicious	Browse	92.104.24.14
	Xr3hmBQcmw	Get hash	malicious	Browse	199.58.15.29
	eAtDhymLzp	Get hash	malicious	Browse	170.17.254.65
	StyBaUxNYq	Get hash	malicious	Browse	170.17.254.76
	tPzL0MlKIo	Get hash	malicious	Browse	164.128.83.121
	7Pvt6Jni6p	Get hash	malicious	Browse	178.174.84.95
	BWG6npgduP	Get hash	malicious	Browse	188.63.207.147
	FawDB415Y0	Get hash	malicious	Browse	164.213.217.106
	9Rka7BK2rI	Get hash	malicious	Browse	83.76.95.84
	Xlojlgo2gb	Get hash	malicious	Browse	161.78.252.122
	wZ6O9wSQ4e	Get hash	malicious	Browse	146.4.138.25
	popsmoke.mpsl	Get hash	malicious	Browse	85.4.56.40
	popsmoke.mpsl	Get hash	malicious	Browse	85.4.129.193
	NJrrXRv8zV	Get hash	malicious	Browse	199.58.15.19
	0aC0TBcdxb	Get hash	malicious	Browse	62.202.137.210
	packa.....(1).exe	Get hash	malicious	Browse	194.209.26.19
	8UsA.sh	Get hash	malicious	Browse	164.194.71.73
	rIbyGX66Op	Get hash	malicious	Browse	46.14.87.211
	wEcncyxrEe	Get hash	malicious	Browse	193.247.145.159
	v22Pc0qA.doc.doc	Get hash	malicious	Browse	194.209.195.106
ATT-MOBILITY-LLC-AS20057US	LyxN1ckWTW	Get hash	malicious	Browse	32.177.92.64
	oEF7GAiRIg	Get hash	malicious	Browse	107.239.189.255
	GEso3CniSk	Get hash	malicious	Browse	107.126.232.108
	VGi1EK6T17	Get hash	malicious	Browse	107.238.216.59
	C4PozjQdGE	Get hash	malicious	Browse	166.135.156.175
	kb5IbEJU8c	Get hash	malicious	Browse	155.167.205.95
	Xr3hmBQcmw	Get hash	malicious	Browse	107.89.110.96
	SUpODCSauS	Get hash	malicious	Browse	107.80.66.77
	rxfttQnoO5	Get hash	malicious	Browse	32.179.93.22
	TFG18FA4eD	Get hash	malicious	Browse	32.179.205.98
	YazlX01sZD	Get hash	malicious	Browse	166.131.98.187
	IYmbrE4LVN	Get hash	malicious	Browse	107.235.32.36
	7Pvt6Jni6p	Get hash	malicious	Browse	107.84.32.16
	wZ6O9wSQ4e	Get hash	malicious	Browse	166.203.93.113
	Z7bNxhhS7y	Get hash	malicious	Browse	166.173.75.114
	Ebex99Bzzw	Get hash	malicious	Browse	107.238.216.34
	Rl9KiguX35	Get hash	malicious	Browse	166.208.166.27
	o0z4JJpYNf	Get hash	malicious	Browse	166.206.214.209
	XPChvE6GQd	Get hash	malicious	Browse	32.191.153.155
	8UsA.sh	Get hash	malicious	Browse	107.84.32.11
BHARTI-MOBILITY-AS-APBhartiAirtelLtdASforGPRSService	s54l0GKMh9	Get hash	malicious	Browse	106.199.18.119
	XuQRPW44hi	Get hash	malicious	Browse	27.62.7.11
	5qpsqg7U0G	Get hash	malicious	Browse	106.216.219.55
	Qka3fi8NpL	Get hash	malicious	Browse	182.66.53.126
	SUpODCSauS	Get hash	malicious	Browse	106.193.85.203
	CGjf615z6v	Get hash	malicious	Browse	106.202.148.183
	eAtDhymLzp	Get hash	malicious	Browse	106.199.110.165
	FawDB415Y0	Get hash	malicious	Browse	223.191.224.241
	sap7ltEdFx	Get hash	malicious	Browse	223.237.42.14
	Vk3A1yJJMg	Get hash	malicious	Browse	223.179.202.232
	471u0A1FPw	Get hash	malicious	Browse	182.67.0.255
	9Rka7BK2rI	Get hash	malicious	Browse	223.189.108.131
	FN0ZF2Nm21	Get hash	malicious	Browse	27.56.113.237
	YXYFqHRx2m	Get hash	malicious	Browse	106.223.19.235
	eubqHHIQkc	Get hash	malicious	Browse	106.200.18.85
	i	Get hash	malicious	Browse	106.206.253.40
	er5c5eUn.exe	Get hash	malicious	Browse	106.214.237.83
	i	Get hash	malicious	Browse	223.187.54.231
	IMG001.exe	Get hash	malicious	Browse	171.49.33.151
	1.sh	Get hash	malicious	Browse	182.66.161.218

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

/proc/4602/oom_score_adj Download File
Process:	/usr/sbin/sshd
File Type:	ASCII text
Category:	dropped
Size (bytes):	6
Entropy (8bit):	1.7924812503605778
Encrypted:	false
SSDEEP:	3:ptn:Dn
MD5:	CBF282CC55ED0792C33D10003D1F760A
SHA1:	007DD8BD75468E6B7ABA4285E9B267202C7EAEED
SHA-256:	FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
SHA-512:	4643A8675D213C7DA35CC0C2BFB3B6F20324F9C48AEA7BA79F470615698C9A0CEFDA45CAA1957FC29110EE746BC8458AB8AB1E43EB513912A5E1E8858812CC00
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	-1000.

/proc/4722/oom_score_adj Download File
Process:	/usr/sbin/sshd
File Type:	ASCII text
Category:	dropped
Size (bytes):	6
Entropy (8bit):	1.7924812503605778
Encrypted:	false
SSDEEP:	3:ptn:Dn
MD5:	CBF282CC55ED0792C33D10003D1F760A
SHA1:	007DD8BD75468E6B7ABA4285E9B267202C7EAEED
SHA-256:	FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
SHA-512:	4643A8675D213C7DA35CC0C2BFB3B6F20324F9C48AEA7BA79F470615698C9A0CEFDA45CAA1957FC29110EE746BC8458AB8AB1E43EB513912A5E1E8858812CC00
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	-1000.

/proc/4818/oom_score_adj Download File
Process:	/usr/sbin/sshd
File Type:	ASCII text
Category:	dropped
Size (bytes):	6
Entropy (8bit):	1.7924812503605778
Encrypted:	false
SSDEEP:	3:ptn:Dn
MD5:	CBF282CC55ED0792C33D10003D1F760A
SHA1:	007DD8BD75468E6B7ABA4285E9B267202C7EAEED
SHA-256:	FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
SHA-512:	4643A8675D213C7DA35CC0C2BFB3B6F20324F9C48AEA7BA79F470615698C9A0CEFDA45CAA1957FC29110EE746BC8458AB8AB1E43EB513912A5E1E8858812CC00
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	-1000.

/run/sshd.pid Download File
Process:	/usr/sbin/sshd
File Type:	ASCII text
Category:	dropped
Size (bytes):	5
Entropy (8bit):	1.9219280948873623
Encrypted:	false
SSDEEP:	3:Iv:Iv
MD5:	600AFFBB4A2E9025B7D50F6E1814B400
SHA1:	2DE94308B4453700D378CB9EF5BC75D22949188E
SHA-256:	C0B67778CE4256AEAC48B6D9CEE4A690221DA0A6A54FE04C5205577A5E655662
SHA-512:	EAA7DEE03F55E0D28B3F86C7DE5F38D0F263B62C1211D2401DEED0BFA6C481C0925EE63EFF33EC081F8D9ECEAE3ED158BFA44966A23680D063891C6C97FD16AD
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	4818.

/var/cache/snapd/sections.M3RYNM10pCQM Download File
Process:	/usr/lib/snapd/snapd
File Type:	ASCII text
Category:	dropped
Size (bytes):	257
Entropy (8bit):	4.149772078213831
Encrypted:	false
SSDEEP:	6:+JwAuG+uP2J5I9W6IzvS5/GAEwKnK/JBMlvuNjpeWPnXMISz:J02Jt6W8ce+Oj8WX6
MD5:	966FD91045792732666DBA4D113B0D48
SHA1:	9DCADCCCE036C48AEADCA9632A6E8EBADC69EE18
SHA-256:	244EB764054FECCD5D77FAD9273ECC7C1B427551FA153876C889C59D1959630D
SHA-512:	DEB94A2508E4B8A26073FC1F71E71EB19D877C890BFB93FBE4E700643FA82FF78135A146AB47EC702D6FB6D4A2FDDF5257BBF5B5E6992CAB81A15CA9B43D36BA
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	art-and-design.books-and-reference.development.devices-and-iot.education.entertainment.featured.finance.games.health-and-fitness.music-and-audio.news-and-weather.personalisation.photo-and-video.productivity.science.security.server-and-cloud.social.utilities

/var/cache/snapd/sections.nCHfbhTWJ818 Download File
Process:	/usr/lib/snapd/snapd
File Type:	ASCII text
Category:	dropped
Size (bytes):	257
Entropy (8bit):	4.149772078213831
Encrypted:	false
SSDEEP:	6:+JwAuG+uP2J5I9W6IzvS5/GAEwKnK/JBMlvuNjpeWPnXMISz:J02Jt6W8ce+Oj8WX6
MD5:	966FD91045792732666DBA4D113B0D48
SHA1:	9DCADCCCE036C48AEADCA9632A6E8EBADC69EE18
SHA-256:	244EB764054FECCD5D77FAD9273ECC7C1B427551FA153876C889C59D1959630D
SHA-512:	DEB94A2508E4B8A26073FC1F71E71EB19D877C890BFB93FBE4E700643FA82FF78135A146AB47EC702D6FB6D4A2FDDF5257BBF5B5E6992CAB81A15CA9B43D36BA
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	art-and-design.books-and-reference.development.devices-and-iot.education.entertainment.featured.finance.games.health-and-fitness.music-and-audio.news-and-weather.personalisation.photo-and-video.productivity.science.security.server-and-cloud.social.utilities

Static File Info

General
File type:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy (8bit):	7.871362919929778
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	ovLjmo5UoE
File size:	26184
MD5:	96468aa8293a504d9431860381691baf
SHA1:	a2e7baff712d4a1a41b2b83f60e0afcbaa774190
SHA256:	6596ffeba4d8ea7bc59db3f41d511c1241263f9dd3c01a5657c89279bc8c4fd5
SHA512:	459cade4bd23f5e3f7318d1ddb98789862d6a84b47dd0e0cb6fbcf58f13a0adb10b2799ef023ff00e23081d0b4fd33e777211026a5327302052f3ddd091e0b96
SSDEEP:	768:12G214DFyosXqgvV9o1ndB08F+JgGlzDpbuR1J9:12GdDgosaaO1ndmVJuv
File Content Preview:	.ELF......................Q....4.........4. ...(......................e...e..................E...E......................UPX!.h.........T...T.......T.......?.E.h4...@b..) ..]....E...GS.U....e5.T3z".J{..m...\|0.L.!Q.....j...]......Yt.//..@...,..N............

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x1051d8
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	2
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Prog Interpreter	Section Mappings
LOAD	0x0	0x100000	0x100000	0x651c	0x651c	4.1666	0x5	R E	0x10000
LOAD	0x18c0	0x4518c0	0x4518c0	0x0	0x0	0.0000	0x6	RW	0x10000

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 22, 2021 11:32:37.006854057 CEST	35968	23	192.168.2.20	76.213.67.173
Jul 22, 2021 11:32:37.006879091 CEST	35968	23	192.168.2.20	179.205.5.65
Jul 22, 2021 11:32:37.006894112 CEST	35968	23	192.168.2.20	61.153.233.170
Jul 22, 2021 11:32:37.006927967 CEST	35968	23	192.168.2.20	207.227.209.173
Jul 22, 2021 11:32:37.006943941 CEST	35968	23	192.168.2.20	171.78.44.24
Jul 22, 2021 11:32:37.006949902 CEST	35968	23	192.168.2.20	106.127.255.204
Jul 22, 2021 11:32:37.006998062 CEST	35968	23	192.168.2.20	58.226.155.34
Jul 22, 2021 11:32:37.006999969 CEST	35968	23	192.168.2.20	246.232.49.78
Jul 22, 2021 11:32:37.007040977 CEST	35968	23	192.168.2.20	191.41.100.141
Jul 22, 2021 11:32:37.007056952 CEST	35968	23	192.168.2.20	2.185.178.168
Jul 22, 2021 11:32:37.007075071 CEST	35968	23	192.168.2.20	84.123.113.61
Jul 22, 2021 11:32:37.007078886 CEST	35968	23	192.168.2.20	44.158.120.198
Jul 22, 2021 11:32:37.007091045 CEST	35968	23	192.168.2.20	142.213.109.21
Jul 22, 2021 11:32:37.007102013 CEST	35968	23	192.168.2.20	93.53.253.241
Jul 22, 2021 11:32:37.007103920 CEST	35968	23	192.168.2.20	108.134.218.175
Jul 22, 2021 11:32:37.007108927 CEST	35968	23	192.168.2.20	146.224.14.156
Jul 22, 2021 11:32:37.007118940 CEST	35968	23	192.168.2.20	61.108.93.79
Jul 22, 2021 11:32:37.007128954 CEST	35968	23	192.168.2.20	180.78.14.186
Jul 22, 2021 11:32:37.007148981 CEST	35968	23	192.168.2.20	201.244.205.166
Jul 22, 2021 11:32:37.007149935 CEST	35968	23	192.168.2.20	98.36.135.212
Jul 22, 2021 11:32:37.007162094 CEST	35968	23	192.168.2.20	168.174.231.242
Jul 22, 2021 11:32:37.007167101 CEST	35968	23	192.168.2.20	123.232.167.199
Jul 22, 2021 11:32:37.007181883 CEST	35968	23	192.168.2.20	9.195.127.44
Jul 22, 2021 11:32:37.007188082 CEST	35968	23	192.168.2.20	179.156.207.215
Jul 22, 2021 11:32:37.007189989 CEST	35968	23	192.168.2.20	116.218.236.8
Jul 22, 2021 11:32:37.007205009 CEST	35968	23	192.168.2.20	169.217.183.31
Jul 22, 2021 11:32:37.007211924 CEST	35968	23	192.168.2.20	106.32.83.100
Jul 22, 2021 11:32:37.007235050 CEST	35968	23	192.168.2.20	247.61.232.15
Jul 22, 2021 11:32:37.007235050 CEST	35968	23	192.168.2.20	195.56.215.241
Jul 22, 2021 11:32:37.007237911 CEST	35968	23	192.168.2.20	57.192.68.113
Jul 22, 2021 11:32:37.007261992 CEST	35968	23	192.168.2.20	149.42.143.229
Jul 22, 2021 11:32:37.007280111 CEST	35968	23	192.168.2.20	172.233.225.100
Jul 22, 2021 11:32:37.007293940 CEST	35968	23	192.168.2.20	183.204.18.102
Jul 22, 2021 11:32:37.007308006 CEST	35968	23	192.168.2.20	2.162.159.163
Jul 22, 2021 11:32:37.007340908 CEST	35968	23	192.168.2.20	59.115.76.5
Jul 22, 2021 11:32:37.007348061 CEST	35968	23	192.168.2.20	13.205.47.249
Jul 22, 2021 11:32:37.007366896 CEST	35968	23	192.168.2.20	47.80.23.223
Jul 22, 2021 11:32:37.007366896 CEST	35968	23	192.168.2.20	244.162.61.181
Jul 22, 2021 11:32:37.007375956 CEST	35968	23	192.168.2.20	80.181.253.238
Jul 22, 2021 11:32:37.007378101 CEST	35968	23	192.168.2.20	120.0.37.110
Jul 22, 2021 11:32:37.007379055 CEST	35968	23	192.168.2.20	17.113.161.8
Jul 22, 2021 11:32:37.007397890 CEST	35968	23	192.168.2.20	174.139.81.39
Jul 22, 2021 11:32:37.007405996 CEST	35968	23	192.168.2.20	243.213.237.102
Jul 22, 2021 11:32:37.007417917 CEST	35968	23	192.168.2.20	207.118.80.185
Jul 22, 2021 11:32:37.007421017 CEST	35968	23	192.168.2.20	183.175.49.51
Jul 22, 2021 11:32:37.007447958 CEST	35968	23	192.168.2.20	159.136.86.95
Jul 22, 2021 11:32:37.007457018 CEST	35968	23	192.168.2.20	69.194.204.4
Jul 22, 2021 11:32:37.007457018 CEST	35968	23	192.168.2.20	82.5.236.115
Jul 22, 2021 11:32:37.008392096 CEST	35686	1312	192.168.2.20	37.230.137.227
Jul 22, 2021 11:32:37.009011030 CEST	35968	23	192.168.2.20	76.181.217.1
Jul 22, 2021 11:32:37.009021997 CEST	35968	23	192.168.2.20	27.130.25.184
Jul 22, 2021 11:32:37.009044886 CEST	35968	23	192.168.2.20	16.209.224.59
Jul 22, 2021 11:32:37.009043932 CEST	35968	23	192.168.2.20	110.170.40.255
Jul 22, 2021 11:32:37.009054899 CEST	35968	23	192.168.2.20	183.255.101.206
Jul 22, 2021 11:32:37.009063005 CEST	35968	23	192.168.2.20	218.43.22.37
Jul 22, 2021 11:32:37.009077072 CEST	35968	23	192.168.2.20	58.240.237.159
Jul 22, 2021 11:32:37.009090900 CEST	35968	23	192.168.2.20	20.44.34.231
Jul 22, 2021 11:32:37.009100914 CEST	35968	23	192.168.2.20	92.44.238.172
Jul 22, 2021 11:32:37.009150982 CEST	35968	23	192.168.2.20	81.28.117.223
Jul 22, 2021 11:32:37.009154081 CEST	35968	23	192.168.2.20	62.25.27.207
Jul 22, 2021 11:32:37.009156942 CEST	35968	23	192.168.2.20	177.71.169.221
Jul 22, 2021 11:32:37.009159088 CEST	35968	23	192.168.2.20	196.137.199.50
Jul 22, 2021 11:32:37.009183884 CEST	35968	23	192.168.2.20	206.103.28.221
Jul 22, 2021 11:32:37.009191036 CEST	35968	23	192.168.2.20	197.239.13.50
Jul 22, 2021 11:32:37.009200096 CEST	35968	23	192.168.2.20	72.39.159.203
Jul 22, 2021 11:32:37.009202957 CEST	35968	23	192.168.2.20	43.252.11.69
Jul 22, 2021 11:32:37.009229898 CEST	35968	23	192.168.2.20	5.207.147.61
Jul 22, 2021 11:32:37.009232044 CEST	35968	23	192.168.2.20	255.221.255.112
Jul 22, 2021 11:32:37.009233952 CEST	35968	23	192.168.2.20	181.179.100.111
Jul 22, 2021 11:32:37.009262085 CEST	35968	23	192.168.2.20	18.251.195.201
Jul 22, 2021 11:32:37.009269953 CEST	35968	23	192.168.2.20	133.212.126.254
Jul 22, 2021 11:32:37.009274960 CEST	35968	23	192.168.2.20	24.191.78.115
Jul 22, 2021 11:32:37.009284019 CEST	35968	23	192.168.2.20	180.58.235.167
Jul 22, 2021 11:32:37.009288073 CEST	35968	23	192.168.2.20	69.240.96.208
Jul 22, 2021 11:32:37.009294987 CEST	35968	23	192.168.2.20	250.113.183.73
Jul 22, 2021 11:32:37.009314060 CEST	35968	23	192.168.2.20	4.81.208.239
Jul 22, 2021 11:32:37.009315968 CEST	35968	23	192.168.2.20	90.180.125.20
Jul 22, 2021 11:32:37.009332895 CEST	35968	23	192.168.2.20	156.90.218.106
Jul 22, 2021 11:32:37.009341955 CEST	35968	23	192.168.2.20	16.90.154.204
Jul 22, 2021 11:32:37.009372950 CEST	35968	23	192.168.2.20	112.69.39.8
Jul 22, 2021 11:32:37.009376049 CEST	35968	23	192.168.2.20	130.194.139.201
Jul 22, 2021 11:32:37.009380102 CEST	35968	23	192.168.2.20	92.231.232.163
Jul 22, 2021 11:32:37.009397984 CEST	35968	23	192.168.2.20	70.96.33.196
Jul 22, 2021 11:32:37.009435892 CEST	35968	23	192.168.2.20	60.106.125.32
Jul 22, 2021 11:32:37.009533882 CEST	35968	23	192.168.2.20	172.72.246.208
Jul 22, 2021 11:32:37.009542942 CEST	35968	23	192.168.2.20	97.203.176.42
Jul 22, 2021 11:32:37.009576082 CEST	35968	23	192.168.2.20	45.21.143.220
Jul 22, 2021 11:32:37.009582043 CEST	35968	23	192.168.2.20	250.204.143.142
Jul 22, 2021 11:32:37.009597063 CEST	35968	23	192.168.2.20	13.219.123.183
Jul 22, 2021 11:32:37.009624004 CEST	35968	23	192.168.2.20	204.187.189.187
Jul 22, 2021 11:32:37.009640932 CEST	35968	23	192.168.2.20	103.90.10.29
Jul 22, 2021 11:32:37.009644985 CEST	35968	23	192.168.2.20	60.81.180.91
Jul 22, 2021 11:32:37.009650946 CEST	35968	23	192.168.2.20	92.19.142.160
Jul 22, 2021 11:32:37.009654999 CEST	35968	23	192.168.2.20	45.188.49.219
Jul 22, 2021 11:32:37.009663105 CEST	35968	23	192.168.2.20	172.68.43.214
Jul 22, 2021 11:32:37.009668112 CEST	35968	23	192.168.2.20	122.47.233.44
Jul 22, 2021 11:32:37.009677887 CEST	35968	23	192.168.2.20	179.165.191.183
Jul 22, 2021 11:32:37.009713888 CEST	35968	23	192.168.2.20	128.11.160.15
Jul 22, 2021 11:32:37.009728909 CEST	35968	23	192.168.2.20	2.153.94.25
Jul 22, 2021 11:32:37.009738922 CEST	35968	23	192.168.2.20	202.237.64.181

System Behavior

Analysis Process: ovLjmo5UoE PID: 4571 Parent PID: 4498

General

Start time:	11:32:35
Start date:	22/07/2021
Path:	/tmp/ovLjmo5UoE
Arguments:	/usr/bin/qemu-mips /tmp/ovLjmo5UoE
File size:	26184 bytes
MD5 hash:	96468aa8293a504d9431860381691baf

Analysis Process: ovLjmo5UoE PID: 4586 Parent PID: 4571

General

Start time:	11:32:35
Start date:	22/07/2021
Path:	/tmp/ovLjmo5UoE
Arguments:	n/a
File size:	26184 bytes
MD5 hash:	96468aa8293a504d9431860381691baf

Analysis Process: ovLjmo5UoE PID: 4587 Parent PID: 4571

General

Start time:	11:32:35
Start date:	22/07/2021
Path:	/tmp/ovLjmo5UoE
Arguments:	n/a
File size:	26184 bytes
MD5 hash:	96468aa8293a504d9431860381691baf

Analysis Process: ovLjmo5UoE PID: 4588 Parent PID: 4571

General

Start time:	11:32:35
Start date:	22/07/2021
Path:	/tmp/ovLjmo5UoE
Arguments:	n/a
File size:	26184 bytes
MD5 hash:	96468aa8293a504d9431860381691baf

Analysis Process: ovLjmo5UoE PID: 4590 Parent PID: 4588

General

Start time:	11:32:35
Start date:	22/07/2021
Path:	/tmp/ovLjmo5UoE
Arguments:	n/a
File size:	26184 bytes
MD5 hash:	96468aa8293a504d9431860381691baf

Analysis Process: ovLjmo5UoE PID: 4591 Parent PID: 4588

General

Start time:	11:32:35
Start date:	22/07/2021
Path:	/tmp/ovLjmo5UoE
Arguments:	n/a
File size:	26184 bytes
MD5 hash:	96468aa8293a504d9431860381691baf

Analysis Process: ovLjmo5UoE PID: 4592 Parent PID: 4588

General

Start time:	11:32:35
Start date:	22/07/2021
Path:	/tmp/ovLjmo5UoE
Arguments:	n/a
File size:	26184 bytes
MD5 hash:	96468aa8293a504d9431860381691baf

Analysis Process: systemd PID: 4602 Parent PID: 1

General

Start time:	11:32:41
Start date:	22/07/2021
Path:	/lib/systemd/systemd
Arguments:	n/a
File size:	0 bytes
MD5 hash:	00000000000000000000000000000000

Analysis Process: sshd PID: 4602 Parent PID: 1

General

Start time:	11:32:41
Start date:	22/07/2021
Path:	/usr/sbin/sshd
Arguments:	/usr/sbin/sshd -D
File size:	791024 bytes
MD5 hash:	661b2a2da3b6c7d7ef41d0b9da1caa3b

Analysis Process: systemd PID: 4614 Parent PID: 1

General

Start time:	11:33:05
Start date:	22/07/2021
Path:	/lib/systemd/systemd
Arguments:	n/a
File size:	0 bytes
MD5 hash:	00000000000000000000000000000000

Analysis Process: NetworkManager PID: 4614 Parent PID: 1

General

Start time:	11:33:05
Start date:	22/07/2021
Path:	/usr/sbin/NetworkManager
Arguments:	/usr/sbin/NetworkManager --no-daemon
File size:	2953816 bytes
MD5 hash:	43dcb4efce9c2c522442ae62538bf659

Analysis Process: systemd PID: 4628 Parent PID: 1

General

Start time:	11:33:05
Start date:	22/07/2021
Path:	/lib/systemd/systemd
Arguments:	n/a
File size:	0 bytes
MD5 hash:	00000000000000000000000000000000

Analysis Process: nm-online PID: 4628 Parent PID: 1

General

Start time:	11:33:05
Start date:	22/07/2021
Path:	/usr/bin/nm-online
Arguments:	/usr/bin/nm-online -s -q --timeout=30
File size:	14792 bytes
MD5 hash:	ac72f7c256e548d273a5133a245a1638

Analysis Process: systemd PID: 4641 Parent PID: 1

General

Start time:	11:33:06
Start date:	22/07/2021
Path:	/lib/systemd/systemd
Arguments:	n/a
File size:	0 bytes
MD5 hash:	00000000000000000000000000000000

Analysis Process: nm-dispatcher PID: 4641 Parent PID: 1

General

Start time:	11:33:06
Start date:	22/07/2021
Path:	/usr/lib/NetworkManager/nm-dispatcher
Arguments:	/usr/lib/NetworkManager/nm-dispatcher
File size:	48656 bytes
MD5 hash:	7d4ef829ade49b564256f3f295f9c826

Analysis Process: nm-dispatcher PID: 4665 Parent PID: 4641

General

Start time:	11:33:06
Start date:	22/07/2021
Path:	/usr/lib/NetworkManager/nm-dispatcher
Arguments:	n/a
File size:	48656 bytes
MD5 hash:	7d4ef829ade49b564256f3f295f9c826

Analysis Process: 01ifupdown PID: 4665 Parent PID: 4641

General

Start time:	11:33:06
Start date:	22/07/2021
Path:	/etc/NetworkManager/dispatcher.d/01ifupdown
Arguments:	/bin/sh -e /etc/NetworkManager/dispatcher.d/01ifupdown none hostname
File size:	2146 bytes
MD5 hash:	299819a8e64f00a1edbdfc99d05a8594

Analysis Process: systemd PID: 4654 Parent PID: 1

General

Start time:	11:33:06
Start date:	22/07/2021
Path:	/lib/systemd/systemd
Arguments:	n/a
File size:	0 bytes
MD5 hash:	00000000000000000000000000000000

Analysis Process: systemd-hostnamed PID: 4654 Parent PID: 1

General

Start time:	11:33:06
Start date:	22/07/2021
Path:	/lib/systemd/systemd-hostnamed
Arguments:	/lib/systemd/systemd-hostnamed
File size:	339152 bytes
MD5 hash:	b05764f1a40963131ea2e1cd585f4139

Analysis Process: systemd PID: 4679 Parent PID: 1

General

Start time:	11:33:09
Start date:	22/07/2021
Path:	/lib/systemd/systemd
Arguments:	n/a
File size:	0 bytes
MD5 hash:	00000000000000000000000000000000

Analysis Process: snapd PID: 4679 Parent PID: 1

General

Start time:	11:33:09
Start date:	22/07/2021
Path:	/usr/lib/snapd/snapd
Arguments:	/usr/lib/snapd/snapd
File size:	21178072 bytes
MD5 hash:	416402f94a949af355c09e8bccfa0eb0

Analysis Process: systemd PID: 4698 Parent PID: 1

General

Start time:	11:33:19
Start date:	22/07/2021
Path:	/lib/systemd/systemd
Arguments:	n/a
File size:	0 bytes
MD5 hash:	00000000000000000000000000000000

Analysis Process: iscsiadm PID: 4698 Parent PID: 1

General

Start time:	11:33:19
Start date:	22/07/2021
Path:	/sbin/iscsiadm
Arguments:	/sbin/iscsiadm -k 0 2
File size:	754952 bytes
MD5 hash:	b9363fe8099be776e324a481e209d7c4

Analysis Process: systemd PID: 4722 Parent PID: 1

General

Start time:	11:34:22
Start date:	22/07/2021
Path:	/lib/systemd/systemd
Arguments:	n/a
File size:	0 bytes
MD5 hash:	00000000000000000000000000000000

Analysis Process: sshd PID: 4722 Parent PID: 1

General

Start time:	11:34:22
Start date:	22/07/2021
Path:	/usr/sbin/sshd
Arguments:	/usr/sbin/sshd -D
File size:	791024 bytes
MD5 hash:	661b2a2da3b6c7d7ef41d0b9da1caa3b

Analysis Process: systemd PID: 4776 Parent PID: 1

General

Start time:	11:34:23
Start date:	22/07/2021
Path:	/lib/systemd/systemd
Arguments:	n/a
File size:	0 bytes
MD5 hash:	00000000000000000000000000000000

Analysis Process: systemd-hostnamed PID: 4776 Parent PID: 1

General

Start time:	11:34:23
Start date:	22/07/2021
Path:	/lib/systemd/systemd-hostnamed
Arguments:	/lib/systemd/systemd-hostnamed
File size:	339152 bytes
MD5 hash:	b05764f1a40963131ea2e1cd585f4139

Analysis Process: systemd PID: 4799 Parent PID: 1

General

Start time:	11:34:24
Start date:	22/07/2021
Path:	/lib/systemd/systemd
Arguments:	n/a
File size:	0 bytes
MD5 hash:	00000000000000000000000000000000

Analysis Process: snapd PID: 4799 Parent PID: 1

General

Start time:	11:34:24
Start date:	22/07/2021
Path:	/usr/lib/snapd/snapd
Arguments:	/usr/lib/snapd/snapd
File size:	21178072 bytes
MD5 hash:	416402f94a949af355c09e8bccfa0eb0

Analysis Process: systemd PID: 4818 Parent PID: 1

General

Start time:	11:34:26
Start date:	22/07/2021
Path:	/lib/systemd/systemd
Arguments:	n/a
File size:	0 bytes
MD5 hash:	00000000000000000000000000000000

Analysis Process: sshd PID: 4818 Parent PID: 1

General

Start time:	11:34:26
Start date:	22/07/2021
Path:	/usr/sbin/sshd
Arguments:	/usr/sbin/sshd -D
File size:	791024 bytes
MD5 hash:	661b2a2da3b6c7d7ef41d0b9da1caa3b

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use device sensors to collect information about nearby networks, such as Wi-Fi and Bluetooth.
Tactics:	Collection
Data Sources:
Platforms:	Android
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Linux Analysis Report ovLjmo5UoE

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Process Tree

Yara Overview

PCAP (Network Traffic)

Jbx Signature Overview

AV Detection:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Malware Analysis System Evasion:

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Runtime Messages

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: ovLjmo5UoE PID: 4571 Parent PID: 4498

General

Analysis Process: ovLjmo5UoE PID: 4586 Parent PID: 4571

General

Analysis Process: ovLjmo5UoE PID: 4587 Parent PID: 4571

General

Analysis Process: ovLjmo5UoE PID: 4588 Parent PID: 4571

General

Analysis Process: ovLjmo5UoE PID: 4590 Parent PID: 4588

General

Analysis Process: ovLjmo5UoE PID: 4591 Parent PID: 4588

General

Analysis Process: ovLjmo5UoE PID: 4592 Parent PID: 4588

General

Analysis Process: systemd PID: 4602 Parent PID: 1

General

Analysis Process: sshd PID: 4602 Parent PID: 1

General

Analysis Process: systemd PID: 4614 Parent PID: 1

General

Analysis Process: NetworkManager PID: 4614 Parent PID: 1

General

Analysis Process: systemd PID: 4628 Parent PID: 1

General

Analysis Process: nm-online PID: 4628 Parent PID: 1