Play interactive tour

Edit tour

Linux Analysis Report 61KiF94nKN

Overview

General Information

Sample Name:	61KiF94nKN
Analysis ID:	533998
MD5:	06d58f655cb40ee644bd74e19483ba8b
SHA1:	84a92f7b7855ef9f1ec12e10ef38b3bc7045d903
SHA256:	e0f8643b2d10593678b16fdaab7bc4a070cdbe4a8a617b0a37bda328f4002235
Tags:	32elfmiraisparc
Infos:

Detection

Mirai

Score:	72
Range:	0 - 100
Whitelisted:	false

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Mirai

Multi AV Scanner detection for submitted file

Uses known network protocols on non-standard ports

Connects to many ports of the same IP (likely port scanning)

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Classification

Analysis Advice

All HTTP servers contacted by the sample do not answer. Likely the sample is an old dropper which does no longer work

Static ELF header machine description suggests that the sample might not execute correctly on this machine

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	533998
Start date:	04.12.2021
Start time:	22:44:53
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 45s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	61KiF94nKN
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal72.troj.lin@0/2@13/0
Warnings:	Show All Report size exceeded maximum capacity and may have missing network information. TCP Packets have been reduced to 100

Process Tree

system is lnxubuntu20

61KiF94nKN (PID: 5224, Parent: 5117, MD5: 7dc1c0e23cd5e102bb12e5c29403410e) Arguments: /tmp/61KiF94nKN

61KiF94nKN New Fork (PID: 5226, Parent: 5224)

61KiF94nKN New Fork (PID: 5265, Parent: 5226)

61KiF94nKN New Fork (PID: 5266, Parent: 5226)

61KiF94nKN New Fork (PID: 5269, Parent: 5266)

61KiF94nKN New Fork (PID: 5276, Parent: 5269)

61KiF94nKN New Fork (PID: 5278, Parent: 5269)

61KiF94nKN New Fork (PID: 5300, Parent: 5278)

61KiF94nKN New Fork (PID: 5272, Parent: 5266)

61KiF94nKN New Fork (PID: 5274, Parent: 5266)

61KiF94nKN New Fork (PID: 5315, Parent: 5274)

61KiF94nKN New Fork (PID: 5358, Parent: 5274)

61KiF94nKN New Fork (PID: 5227, Parent: 5224)

61KiF94nKN New Fork (PID: 5228, Parent: 5224)

61KiF94nKN New Fork (PID: 5232, Parent: 5228)

61KiF94nKN New Fork (PID: 5233, Parent: 5228)

61KiF94nKN New Fork (PID: 5235, Parent: 5228)

61KiF94nKN New Fork (PID: 5288, Parent: 5235)

61KiF94nKN New Fork (PID: 5296, Parent: 5288)

61KiF94nKN New Fork (PID: 5294, Parent: 5235)

61KiF94nKN New Fork (PID: 5326, Parent: 5294)

61KiF94nKN New Fork (PID: 5332, Parent: 5326)

61KiF94nKN New Fork (PID: 5336, Parent: 5332)

61KiF94nKN New Fork (PID: 5334, Parent: 5326)

systemd New Fork (PID: 5263, Parent: 1)

sshd (PID: 5263, Parent: 1, MD5: dbca7a6bbf7bf57fedac243d4b2cb340) Arguments: /usr/sbin/sshd -t

systemd New Fork (PID: 5264, Parent: 1)

sshd (PID: 5264, Parent: 1, MD5: dbca7a6bbf7bf57fedac243d4b2cb340) Arguments: /usr/sbin/sshd -D

cleanup

Yara Overview

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Mirai_12	Yara detected Mirai	Joe Security

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: 61KiF94nKN	Virustotal: Detection: 36%			Perma Link
Source: 61KiF94nKN	ReversingLabs: Detection: 40%

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 492 INFO TELNET login failed 183.245.121.8:23 -> 192.168.2.23:55898
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 188.225.165.67:23 -> 192.168.2.23:37052
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 188.225.165.67:23 -> 192.168.2.23:37052
Source: Traffic	Snort IDS: 2024980 ET EXPLOIT Actiontec C1000A backdoor account M2 192.168.2.23:60090 -> 89.171.39.145:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.76.244.29:23 -> 192.168.2.23:56610
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.76.244.29:23 -> 192.168.2.23:56606
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.76.244.29:23 -> 192.168.2.23:56608
Source: Traffic	Snort IDS: 716 INFO TELNET access 12.247.13.94:23 -> 192.168.2.23:50692
Source: Traffic	Snort IDS: 716 INFO TELNET access 12.247.13.94:23 -> 192.168.2.23:50696
Source: Traffic	Snort IDS: 2024980 ET EXPLOIT Actiontec C1000A backdoor account M2 192.168.2.23:56238 -> 190.105.72.110:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 12.247.13.94:23 -> 192.168.2.23:50740
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.76.244.29:23 -> 192.168.2.23:56674
Source: Traffic	Snort IDS: 716 INFO TELNET access 12.247.13.94:23 -> 192.168.2.23:50752
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.76.244.29:23 -> 192.168.2.23:56690
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.76.244.29:23 -> 192.168.2.23:56696
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.136.212.54:23 -> 192.168.2.23:44096
Source: Traffic	Snort IDS: 2024980 ET EXPLOIT Actiontec C1000A backdoor account M2 192.168.2.23:56690 -> 223.76.244.29:23
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 183.245.121.8:23 -> 192.168.2.23:56170
Source: Traffic	Snort IDS: 716 INFO TELNET access 12.247.13.94:23 -> 192.168.2.23:50844
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 183.245.121.8:23 -> 192.168.2.23:56172
Source: Traffic	Snort IDS: 716 INFO TELNET access 12.247.13.94:23 -> 192.168.2.23:50872
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.136.212.54:23 -> 192.168.2.23:44184
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.76.244.29:23 -> 192.168.2.23:56910
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.76.244.29:23 -> 192.168.2.23:56938
Source: Traffic	Snort IDS: 716 INFO TELNET access 12.247.13.94:23 -> 192.168.2.23:51028
Source: Traffic	Snort IDS: 716 INFO TELNET access 12.247.13.94:23 -> 192.168.2.23:51034
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.76.244.29:23 -> 192.168.2.23:56966
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.248.46.241:23 -> 192.168.2.23:50846
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.136.212.54:23 -> 192.168.2.23:44342
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.248.46.241:23 -> 192.168.2.23:50864
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.248.46.241:23 -> 192.168.2.23:50924
Source: Traffic	Snort IDS: 2024980 ET EXPLOIT Actiontec C1000A backdoor account M2 192.168.2.23:56494 -> 183.245.121.8:23
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 183.245.121.8:23 -> 192.168.2.23:56494
Source: Traffic	Snort IDS: 716 INFO TELNET access 12.247.13.94:23 -> 192.168.2.23:51176
Source: Traffic	Snort IDS: 716 INFO TELNET access 12.247.13.94:23 -> 192.168.2.23:51178
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.248.46.241:23 -> 192.168.2.23:50980
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.76.244.29:23 -> 192.168.2.23:57124
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.181.66.105:23 -> 192.168.2.23:51502
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.181.66.105:23 -> 192.168.2.23:51502
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.181.66.105:23 -> 192.168.2.23:51514
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.181.66.105:23 -> 192.168.2.23:51514
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.76.244.29:23 -> 192.168.2.23:57134
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.136.212.54:23 -> 192.168.2.23:44526
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.76.244.29:23 -> 192.168.2.23:57166
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.248.46.241:23 -> 192.168.2.23:51032
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.248.46.241:23 -> 192.168.2.23:51054
Source: Traffic	Snort IDS: 716 INFO TELNET access 12.247.13.94:23 -> 192.168.2.23:51272
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.248.46.241:23 -> 192.168.2.23:51064
Source: Traffic	Snort IDS: 716 INFO TELNET access 12.247.13.94:23 -> 192.168.2.23:51276
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.136.212.54:23 -> 192.168.2.23:44628
Source: Traffic	Snort IDS: 2024980 ET EXPLOIT Actiontec C1000A backdoor account M2 192.168.2.23:37274 -> 1.173.125.141:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.248.46.241:23 -> 192.168.2.23:51086
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.76.244.29:23 -> 192.168.2.23:57228
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 183.245.121.8:23 -> 192.168.2.23:56664
Source: Traffic	Snort IDS: 716 INFO TELNET access 12.247.13.94:23 -> 192.168.2.23:51314
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.248.46.241:23 -> 192.168.2.23:51100
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.248.46.241:23 -> 192.168.2.23:51106
Source: Traffic	Snort IDS: 716 INFO TELNET access 12.247.13.94:23 -> 192.168.2.23:51322
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.76.244.29:23 -> 192.168.2.23:57258
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.76.244.29:23 -> 192.168.2.23:57264
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.248.46.241:23 -> 192.168.2.23:51126
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 61.136.212.54:23 -> 192.168.2.23:44660
Source: Traffic	Snort IDS: 716 INFO TELNET access 12.247.13.94:23 -> 192.168.2.23:51404
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.248.46.241:23 -> 192.168.2.23:51206
Source: Traffic	Snort IDS: 716 INFO TELNET access 12.247.13.94:23 -> 192.168.2.23:51428
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.76.244.29:23 -> 192.168.2.23:57370
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.248.46.241:23 -> 192.168.2.23:51228
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.248.46.241:23 -> 192.168.2.23:51234
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 183.245.121.8:23 -> 192.168.2.23:56804
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.181.66.105:23 -> 192.168.2.23:51776
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.181.66.105:23 -> 192.168.2.23:51776
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.181.66.105:23 -> 192.168.2.23:51782
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.181.66.105:23 -> 192.168.2.23:51782
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.76.244.29:23 -> 192.168.2.23:57392
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.248.46.241:23 -> 192.168.2.23:51254
Source: Traffic	Snort IDS: 716 INFO TELNET access 12.247.13.94:23 -> 192.168.2.23:51470
Source: Traffic	Snort IDS: 716 INFO TELNET access 12.247.13.94:23 -> 192.168.2.23:51478
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.76.244.29:23 -> 192.168.2.23:57402
Source: Traffic	Snort IDS: 2024980 ET EXPLOIT Actiontec C1000A backdoor account M2 192.168.2.23:54878 -> 36.239.107.74:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.248.46.241:23 -> 192.168.2.23:51284
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.76.244.29:23 -> 192.168.2.23:57434
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.248.46.241:23 -> 192.168.2.23:51300
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.248.46.241:23 -> 192.168.2.23:51312
Source: Traffic	Snort IDS: 2024980 ET EXPLOIT Actiontec C1000A backdoor account M2 192.168.2.23:51300 -> 218.248.46.241:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 12.247.13.94:23 -> 192.168.2.23:51536
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.248.46.241:23 -> 192.168.2.23:51338
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.76.244.29:23 -> 192.168.2.23:57488
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.76.244.29:23 -> 192.168.2.23:57512
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.248.46.241:23 -> 192.168.2.23:51390
Source: Traffic	Snort IDS: 2024980 ET EXPLOIT Actiontec C1000A backdoor account M2 192.168.2.23:56992 -> 183.245.121.8:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.76.244.29:23 -> 192.168.2.23:57572
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 183.245.121.8:23 -> 192.168.2.23:56992
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.248.46.241:23 -> 192.168.2.23:51442
Source: Traffic	Snort IDS: 716 INFO TELNET access 123.219.169.105:23 -> 192.168.2.23:57492
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.248.46.241:23 -> 192.168.2.23:51456
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.248.46.241:23 -> 192.168.2.23:51480
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 183.245.121.8:23 -> 192.168.2.23:57046
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.76.244.29:23 -> 192.168.2.23:57628
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.181.66.105:23 -> 192.168.2.23:52042
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.181.66.105:23 -> 192.168.2.23:52042
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.181.66.105:23 -> 192.168.2.23:52048
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.181.66.105:23 -> 192.168.2.23:52048
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.76.244.29:23 -> 192.168.2.23:57666
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.226.46.82:23 -> 192.168.2.23:47088
Source: Traffic	Snort IDS: 2024980 ET EXPLOIT Actiontec C1000A backdoor account M2 192.168.2.23:55820 -> 187.115.198.253:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.226.46.82:23 -> 192.168.2.23:47116
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.248.46.241:23 -> 192.168.2.23:51550
Source: Traffic	Snort IDS: 716 INFO TELNET access 123.219.169.105:23 -> 192.168.2.23:57614
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.248.46.241:23 -> 192.168.2.23:51588
Source: Traffic	Snort IDS: 716 INFO TELNET access 36.152.242.114:23 -> 192.168.2.23:59028
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.76.244.29:23 -> 192.168.2.23:57734
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.248.46.241:23 -> 192.168.2.23:51596
Source: Traffic	Snort IDS: 716 INFO TELNET access 123.219.169.105:23 -> 192.168.2.23:57650
Source: Traffic	Snort IDS: 2024980 ET EXPLOIT Actiontec C1000A backdoor account M2 192.168.2.23:33036 -> 89.171.39.145:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.248.46.241:23 -> 192.168.2.23:51616
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 122.226.46.82:23 -> 192.168.2.23:47088
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 122.226.46.82:23 -> 192.168.2.23:47116
Source: Traffic	Snort IDS: 716 INFO TELNET access 123.219.169.105:23 -> 192.168.2.23:57678
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.76.244.29:23 -> 192.168.2.23:57784
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.76.244.29:23 -> 192.168.2.23:57788
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.248.46.241:23 -> 192.168.2.23:51670
Source: Traffic	Snort IDS: 716 INFO TELNET access 123.219.169.105:23 -> 192.168.2.23:57724
Source: Traffic	Snort IDS: 716 INFO TELNET access 36.152.242.114:23 -> 192.168.2.23:59164
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.248.46.241:23 -> 192.168.2.23:51734
Source: Traffic	Snort IDS: 716 INFO TELNET access 123.219.169.105:23 -> 192.168.2.23:57782
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.248.46.241:23 -> 192.168.2.23:51740
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.76.244.29:23 -> 192.168.2.23:57908
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.226.46.82:23 -> 192.168.2.23:47330
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.226.46.82:23 -> 192.168.2.23:47348
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 183.245.121.8:23 -> 192.168.2.23:57348
Source: Traffic	Snort IDS: 716 INFO TELNET access 123.219.169.105:23 -> 192.168.2.23:57840
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.248.46.241:23 -> 192.168.2.23:51798
Source: Traffic	Snort IDS: 716 INFO TELNET access 123.219.169.105:23 -> 192.168.2.23:57868
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.76.244.29:23 -> 192.168.2.23:57964
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.76.244.29:23 -> 192.168.2.23:57966
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.248.46.241:23 -> 192.168.2.23:51836
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.248.46.241:23 -> 192.168.2.23:51838
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.76.244.29:23 -> 192.168.2.23:57984
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.76.244.29:23 -> 192.168.2.23:57982
Source: Traffic	Snort IDS: 716 INFO TELNET access 36.152.242.114:23 -> 192.168.2.23:59294
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.181.66.105:23 -> 192.168.2.23:52384
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.181.66.105:23 -> 192.168.2.23:52384
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.181.66.105:23 -> 192.168.2.23:52404
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.181.66.105:23 -> 192.168.2.23:52404
Source: Traffic	Snort IDS: 716 INFO TELNET access 123.219.169.105:23 -> 192.168.2.23:57916
Source: Traffic	Snort IDS: 2024980 ET EXPLOIT Actiontec C1000A backdoor account M2 192.168.2.23:57966 -> 223.76.244.29:23
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 122.226.46.82:23 -> 192.168.2.23:47330
Source: Traffic	Snort IDS: 2024980 ET EXPLOIT Actiontec C1000A backdoor account M2 192.168.2.23:57982 -> 223.76.244.29:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.248.46.241:23 -> 192.168.2.23:51902
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 122.226.46.82:23 -> 192.168.2.23:47348
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.248.46.241:23 -> 192.168.2.23:51904
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.248.46.241:23 -> 192.168.2.23:51908
Source: Traffic	Snort IDS: 716 INFO TELNET access 45.163.44.227:23 -> 192.168.2.23:55908
Source: Traffic	Snort IDS: 716 INFO TELNET access 45.163.44.227:23 -> 192.168.2.23:55910
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.248.46.241:23 -> 192.168.2.23:51928
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 2.179.124.160:23 -> 192.168.2.23:33552
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 183.245.121.8:23 -> 192.168.2.23:57504
Source: Traffic	Snort IDS: 716 INFO TELNET access 36.152.242.114:23 -> 192.168.2.23:59404
Source: Traffic	Snort IDS: 716 INFO TELNET access 123.219.169.105:23 -> 192.168.2.23:57972
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.226.46.82:23 -> 192.168.2.23:47560
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.248.46.241:23 -> 192.168.2.23:52004
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.226.46.82:23 -> 192.168.2.23:47604
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.248.46.241:23 -> 192.168.2.23:52040
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.248.46.241:23 -> 192.168.2.23:52080
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.248.46.241:23 -> 192.168.2.23:52092
Source: Traffic	Snort IDS: 716 INFO TELNET access 60.161.155.91:23 -> 192.168.2.23:53284
Source: Traffic	Snort IDS: 716 INFO TELNET access 60.161.155.91:23 -> 192.168.2.23:53290
Source: Traffic	Snort IDS: 716 INFO TELNET access 36.152.242.114:23 -> 192.168.2.23:59564
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.248.46.241:23 -> 192.168.2.23:52134
Source: Traffic	Snort IDS: 716 INFO TELNET access 45.163.44.227:23 -> 192.168.2.23:56140
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 122.226.46.82:23 -> 192.168.2.23:47560
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 122.226.46.82:23 -> 192.168.2.23:47604
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 219.85.187.41:23 -> 192.168.2.23:60670
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 219.85.187.41:23 -> 192.168.2.23:60670
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 219.85.187.41:23 -> 192.168.2.23:60690
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 219.85.187.41:23 -> 192.168.2.23:60690
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.248.46.241:23 -> 192.168.2.23:52250
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.248.46.241:23 -> 192.168.2.23:52246
Source: Traffic	Snort IDS: 2024980 ET EXPLOIT Actiontec C1000A backdoor account M2 192.168.2.23:57900 -> 183.245.121.8:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 36.152.242.114:23 -> 192.168.2.23:59822
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 60.161.155.91:23 -> 192.168.2.23:53284
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.248.46.241:23 -> 192.168.2.23:52388
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 183.245.121.8:23 -> 192.168.2.23:57884
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 183.245.121.8:23 -> 192.168.2.23:57900
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 60.161.155.91:23 -> 192.168.2.23:53290
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.181.66.105:23 -> 192.168.2.23:52770
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.181.66.105:23 -> 192.168.2.23:52770
Source: Traffic	Snort IDS: 716 INFO TELNET access 45.163.44.227:23 -> 192.168.2.23:56176
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.181.66.105:23 -> 192.168.2.23:52814
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.181.66.105:23 -> 192.168.2.23:52814
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.181.66.105:23 -> 192.168.2.23:52816
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.181.66.105:23 -> 192.168.2.23:52816
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.181.66.105:23 -> 192.168.2.23:52818
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.181.66.105:23 -> 192.168.2.23:52818
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.226.46.82:23 -> 192.168.2.23:48080
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.226.46.82:23 -> 192.168.2.23:48074
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 93.103.21.179:23 -> 192.168.2.23:58054
Source: Traffic	Snort IDS: 716 INFO TELNET access 36.152.242.114:23 -> 192.168.2.23:60064
Source: Traffic	Snort IDS: 716 INFO TELNET access 60.161.155.91:23 -> 192.168.2.23:53812
Source: Traffic	Snort IDS: 716 INFO TELNET access 60.161.155.91:23 -> 192.168.2.23:53862
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 93.103.21.179:23 -> 192.168.2.23:58112
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 122.226.46.82:23 -> 192.168.2.23:48080
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 183.245.121.8:23 -> 192.168.2.23:58258
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 69.173.208.6:23 -> 192.168.2.23:54674
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 69.173.208.6:23 -> 192.168.2.23:54674
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 69.173.208.6:23 -> 192.168.2.23:54676
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 69.173.208.6:23 -> 192.168.2.23:54676
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 93.103.21.179:23 -> 192.168.2.23:58148
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 122.226.46.82:23 -> 192.168.2.23:48074
Source: Traffic	Snort IDS: 716 INFO TELNET access 36.152.242.114:23 -> 192.168.2.23:60200
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 60.161.155.91:23 -> 192.168.2.23:53812
Source: Traffic	Snort IDS: 2024980 ET EXPLOIT Actiontec C1000A backdoor account M2 192.168.2.23:55672 -> 46.164.131.142:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.226.46.82:23 -> 192.168.2.23:48404
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 60.161.155.91:23 -> 192.168.2.23:53862
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 69.173.208.6:23 -> 192.168.2.23:54798
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 69.173.208.6:23 -> 192.168.2.23:54798
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.226.46.82:23 -> 192.168.2.23:48434
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 69.173.208.6:23 -> 192.168.2.23:54800
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 69.173.208.6:23 -> 192.168.2.23:54800
Source: Traffic	Snort IDS: 716 INFO TELNET access 36.152.242.114:23 -> 192.168.2.23:60352
Source: Traffic	Snort IDS: 716 INFO TELNET access 60.161.155.91:23 -> 192.168.2.23:54122
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 122.226.46.82:23 -> 192.168.2.23:48404
Source: Traffic	Snort IDS: 716 INFO TELNET access 113.108.203.2:23 -> 192.168.2.23:44254
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 183.245.121.8:23 -> 192.168.2.23:58502
Source: Traffic	Snort IDS: 716 INFO TELNET access 60.161.155.91:23 -> 192.168.2.23:54152
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 219.85.187.41:23 -> 192.168.2.23:33226
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 219.85.187.41:23 -> 192.168.2.23:33226
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 69.173.208.6:23 -> 192.168.2.23:54912
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 69.173.208.6:23 -> 192.168.2.23:54912
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.181.66.105:23 -> 192.168.2.23:53476
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.181.66.105:23 -> 192.168.2.23:53476
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.181.66.105:23 -> 192.168.2.23:53488
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.181.66.105:23 -> 192.168.2.23:53488
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.181.66.105:23 -> 192.168.2.23:53502
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.181.66.105:23 -> 192.168.2.23:53502
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.181.66.105:23 -> 192.168.2.23:53500
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.181.66.105:23 -> 192.168.2.23:53500
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 183.245.121.8:23 -> 192.168.2.23:58546
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 219.85.187.41:23 -> 192.168.2.23:33248
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 219.85.187.41:23 -> 192.168.2.23:33248
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 69.173.208.6:23 -> 192.168.2.23:54978
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 69.173.208.6:23 -> 192.168.2.23:54978
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.181.66.105:23 -> 192.168.2.23:53478
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.181.66.105:23 -> 192.168.2.23:53478
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 122.226.46.82:23 -> 192.168.2.23:48434
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.181.66.105:23 -> 192.168.2.23:53522
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.181.66.105:23 -> 192.168.2.23:53522
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 183.238.74.44:23 -> 192.168.2.23:35714
Source: Traffic	Snort IDS: 716 INFO TELNET access 36.152.242.114:23 -> 192.168.2.23:60532
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.226.46.82:23 -> 192.168.2.23:48718
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 69.173.208.6:23 -> 192.168.2.23:55092
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 69.173.208.6:23 -> 192.168.2.23:55092
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 113.108.203.2:23 -> 192.168.2.23:44254
Source: Traffic	Snort IDS: 716 INFO TELNET access 90.117.64.194:23 -> 192.168.2.23:60976
Source: Traffic	Snort IDS: 716 INFO TELNET access 90.117.64.194:23 -> 192.168.2.23:60978
Source: Traffic	Snort IDS: 716 INFO TELNET access 90.117.64.194:23 -> 192.168.2.23:60990
Source: Traffic	Snort IDS: 716 INFO TELNET access 90.117.64.194:23 -> 192.168.2.23:32784
Source: Traffic	Snort IDS: 716 INFO TELNET access 90.117.64.194:23 -> 192.168.2.23:32794
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 60.161.155.91:23 -> 192.168.2.23:54122
Source: Traffic	Snort IDS: 716 INFO TELNET access 90.117.64.194:23 -> 192.168.2.23:32798
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 60.161.155.91:23 -> 192.168.2.23:54152
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 69.173.208.6:23 -> 192.168.2.23:55170
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 69.173.208.6:23 -> 192.168.2.23:55170
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 183.238.74.44:23 -> 192.168.2.23:35872
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.226.46.82:23 -> 192.168.2.23:48900
Source: Traffic	Snort IDS: 2024980 ET EXPLOIT Actiontec C1000A backdoor account M2 192.168.2.23:56264 -> 46.164.131.142:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.181.66.105:23 -> 192.168.2.23:53734
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.181.66.105:23 -> 192.168.2.23:53734
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 69.173.208.6:23 -> 192.168.2.23:55384
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 69.173.208.6:23 -> 192.168.2.23:55384
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 122.226.46.82:23 -> 192.168.2.23:48718
Source: Traffic	Snort IDS: 716 INFO TELNET access 113.108.203.2:23 -> 192.168.2.23:44786
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 90.117.64.194:23 -> 192.168.2.23:60976
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 90.117.64.194:23 -> 192.168.2.23:60976
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 90.117.64.194:23 -> 192.168.2.23:60990
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 90.117.64.194:23 -> 192.168.2.23:60990
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 90.117.64.194:23 -> 192.168.2.23:60978
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 90.117.64.194:23 -> 192.168.2.23:60978
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 90.117.64.194:23 -> 192.168.2.23:32784
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 90.117.64.194:23 -> 192.168.2.23:32784
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 90.117.64.194:23 -> 192.168.2.23:32794
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 90.117.64.194:23 -> 192.168.2.23:32794
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 90.117.64.194:23 -> 192.168.2.23:32798
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 90.117.64.194:23 -> 192.168.2.23:32798
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 69.173.208.6:23 -> 192.168.2.23:55454
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 69.173.208.6:23 -> 192.168.2.23:55454
Source: Traffic	Snort IDS: 716 INFO TELNET access 60.161.155.91:23 -> 192.168.2.23:54774
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 183.238.74.44:23 -> 192.168.2.23:36154
Source: Traffic	Snort IDS: 716 INFO TELNET access 60.161.155.91:23 -> 192.168.2.23:54802
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 122.226.46.82:23 -> 192.168.2.23:48900
Source: Traffic	Snort IDS: 2024980 ET EXPLOIT Actiontec C1000A backdoor account M2 192.168.2.23:56880 -> 36.239.107.74:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 69.173.208.6:23 -> 192.168.2.23:55752
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 69.173.208.6:23 -> 192.168.2.23:55752
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.19.94.216:23 -> 192.168.2.23:54646
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.19.94.216:23 -> 192.168.2.23:54646
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 183.245.121.8:23 -> 192.168.2.23:59342
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.226.46.82:23 -> 192.168.2.23:49474
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 113.108.203.2:23 -> 192.168.2.23:44786
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 183.238.74.44:23 -> 192.168.2.23:36458
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.19.94.216:23 -> 192.168.2.23:54662
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.19.94.216:23 -> 192.168.2.23:54662
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.19.94.216:23 -> 192.168.2.23:54652
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.19.94.216:23 -> 192.168.2.23:54652
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.19.94.216:23 -> 192.168.2.23:54658
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.19.94.216:23 -> 192.168.2.23:54658
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.19.94.216:23 -> 192.168.2.23:54664
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.19.94.216:23 -> 192.168.2.23:54664
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 211.23.119.114:23 -> 192.168.2.23:58702
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 211.23.119.114:23 -> 192.168.2.23:58702
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 211.23.119.114:23 -> 192.168.2.23:58698
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 211.23.119.114:23 -> 192.168.2.23:58698
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 211.23.119.114:23 -> 192.168.2.23:58718
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 211.23.119.114:23 -> 192.168.2.23:58718
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 69.173.208.6:23 -> 192.168.2.23:55788
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 69.173.208.6:23 -> 192.168.2.23:55788
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 211.23.119.114:23 -> 192.168.2.23:58760
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 211.23.119.114:23 -> 192.168.2.23:58760
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.181.66.105:23 -> 192.168.2.23:54264
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.181.66.105:23 -> 192.168.2.23:54264
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 211.23.119.114:23 -> 192.168.2.23:58802
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 211.23.119.114:23 -> 192.168.2.23:58802
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.181.66.105:23 -> 192.168.2.23:54300
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.181.66.105:23 -> 192.168.2.23:54300
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 183.245.121.8:23 -> 192.168.2.23:59460
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 60.161.155.91:23 -> 192.168.2.23:54774
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.181.66.105:23 -> 192.168.2.23:54336
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.181.66.105:23 -> 192.168.2.23:54336
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 60.161.155.91:23 -> 192.168.2.23:54802
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 211.23.119.114:23 -> 192.168.2.23:58852
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 211.23.119.114:23 -> 192.168.2.23:58852
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.181.66.105:23 -> 192.168.2.23:54344
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.181.66.105:23 -> 192.168.2.23:54344
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.181.66.105:23 -> 192.168.2.23:54396
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.181.66.105:23 -> 192.168.2.23:54396
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.226.46.82:23 -> 192.168.2.23:49602
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 69.173.208.6:23 -> 192.168.2.23:56006
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 69.173.208.6:23 -> 192.168.2.23:56006
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 183.238.74.44:23 -> 192.168.2.23:36752
Source: Traffic	Snort IDS: 716 INFO TELNET access 113.108.203.2:23 -> 192.168.2.23:45414
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 122.226.46.82:23 -> 192.168.2.23:49474
Source: Traffic	Snort IDS: 716 INFO TELNET access 90.117.64.194:23 -> 192.168.2.23:33708
Source: Traffic	Snort IDS: 716 INFO TELNET access 90.117.64.194:23 -> 192.168.2.23:33710
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 219.85.187.41:23 -> 192.168.2.23:34238
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 219.85.187.41:23 -> 192.168.2.23:34238
Source: Traffic	Snort IDS: 716 INFO TELNET access 90.117.64.194:23 -> 192.168.2.23:33726
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 69.173.208.6:23 -> 192.168.2.23:56064
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 69.173.208.6:23 -> 192.168.2.23:56064
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 219.85.187.41:23 -> 192.168.2.23:34414
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 219.85.187.41:23 -> 192.168.2.23:34414
Source: Traffic	Snort IDS: 716 INFO TELNET access 60.161.155.91:23 -> 192.168.2.23:55428
Source: Traffic	Snort IDS: 716 INFO TELNET access 60.161.155.91:23 -> 192.168.2.23:55442
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.19.94.216:23 -> 192.168.2.23:55230
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.19.94.216:23 -> 192.168.2.23:55230
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 183.238.74.44:23 -> 192.168.2.23:36912
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 69.173.208.6:23 -> 192.168.2.23:56244
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 69.173.208.6:23 -> 192.168.2.23:56244
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 122.226.46.82:23 -> 192.168.2.23:49602
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.181.66.105:23 -> 192.168.2.23:54692
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.181.66.105:23 -> 192.168.2.23:54692
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 183.245.121.8:23 -> 192.168.2.23:59796
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 113.108.203.2:23 -> 192.168.2.23:45414
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.226.46.82:23 -> 192.168.2.23:49972
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 90.117.64.194:23 -> 192.168.2.23:33710
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 90.117.64.194:23 -> 192.168.2.23:33710
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 90.117.64.194:23 -> 192.168.2.23:33708
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 90.117.64.194:23 -> 192.168.2.23:33708
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 69.173.208.6:23 -> 192.168.2.23:56314
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 69.173.208.6:23 -> 192.168.2.23:56314
Source: Traffic	Snort IDS: 2024980 ET EXPLOIT Actiontec C1000A backdoor account M2 192.168.2.23:41674 -> 201.163.61.109:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 90.117.64.194:23 -> 192.168.2.23:33726
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 90.117.64.194:23 -> 192.168.2.23:33726
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 60.161.155.91:23 -> 192.168.2.23:55428
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 183.238.74.44:23 -> 192.168.2.23:37152
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 60.161.155.91:23 -> 192.168.2.23:55442
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 69.173.208.6:23 -> 192.168.2.23:56450
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 69.173.208.6:23 -> 192.168.2.23:56450
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.226.46.82:23 -> 192.168.2.23:50088
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 202.101.183.165:23 -> 192.168.2.23:39500
Source: Traffic	Snort IDS: 716 INFO TELNET access 113.108.203.2:23 -> 192.168.2.23:45882
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 69.173.208.6:23 -> 192.168.2.23:56500
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 69.173.208.6:23 -> 192.168.2.23:56500
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 212.143.24.158:23 -> 192.168.2.23:53200
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 212.143.24.158:23 -> 192.168.2.23:53200
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 212.143.24.158:23 -> 192.168.2.23:53208
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 212.143.24.158:23 -> 192.168.2.23:53208
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 211.23.119.114:23 -> 192.168.2.23:59636
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 211.23.119.114:23 -> 192.168.2.23:59636
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 211.23.119.114:23 -> 192.168.2.23:59634
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 211.23.119.114:23 -> 192.168.2.23:59634
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.181.66.105:23 -> 192.168.2.23:55104
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.181.66.105:23 -> 192.168.2.23:55104
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.181.66.105:23 -> 192.168.2.23:55108
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.181.66.105:23 -> 192.168.2.23:55108
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 211.23.119.114:23 -> 192.168.2.23:59638
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 211.23.119.114:23 -> 192.168.2.23:59638
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 211.23.119.114:23 -> 192.168.2.23:59648
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 211.23.119.114:23 -> 192.168.2.23:59648
Source: Traffic	Snort IDS: 716 INFO TELNET access 60.161.155.91:23 -> 192.168.2.23:55924
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.181.66.105:23 -> 192.168.2.23:55118
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.181.66.105:23 -> 192.168.2.23:55118
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 211.23.119.114:23 -> 192.168.2.23:59662
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 211.23.119.114:23 -> 192.168.2.23:59662
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 122.226.46.82:23 -> 192.168.2.23:49972
Source: Traffic	Snort IDS: 716 INFO TELNET access 60.161.155.91:23 -> 192.168.2.23:55930
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 69.173.208.6:23 -> 192.168.2.23:56690
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 69.173.208.6:23 -> 192.168.2.23:56690
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.181.66.105:23 -> 192.168.2.23:55136
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.181.66.105:23 -> 192.168.2.23:55136
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.19.94.216:23 -> 192.168.2.23:55678
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.19.94.216:23 -> 192.168.2.23:55678
Source: Traffic	Snort IDS: 716 INFO TELNET access 45.163.44.227:23 -> 192.168.2.23:58578
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.19.94.216:23 -> 192.168.2.23:55700
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.19.94.216:23 -> 192.168.2.23:55700
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 211.23.119.114:23 -> 192.168.2.23:59684
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 211.23.119.114:23 -> 192.168.2.23:59684
Source: Traffic	Snort IDS: 716 INFO TELNET access 200.26.231.214:23 -> 192.168.2.23:54238
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.181.66.105:23 -> 192.168.2.23:55166
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.181.66.105:23 -> 192.168.2.23:55166
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.19.94.216:23 -> 192.168.2.23:55706
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.19.94.216:23 -> 192.168.2.23:55706
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 122.226.46.82:23 -> 192.168.2.23:50088
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.19.94.216:23 -> 192.168.2.23:55696
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.19.94.216:23 -> 192.168.2.23:55696
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 113.108.203.2:23 -> 192.168.2.23:45882
Source: Traffic	Snort IDS: 716 INFO TELNET access 90.117.64.194:23 -> 192.168.2.23:34362
Source: Traffic	Snort IDS: 716 INFO TELNET access 90.117.64.194:23 -> 192.168.2.23:34364
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 69.173.208.6:23 -> 192.168.2.23:56774
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 69.173.208.6:23 -> 192.168.2.23:56774
Source: Traffic	Snort IDS: 716 INFO TELNET access 90.117.64.194:23 -> 192.168.2.23:34366
Source: Traffic	Snort IDS: 716 INFO TELNET access 90.117.64.194:23 -> 192.168.2.23:34368
Source: Traffic	Snort IDS: 716 INFO TELNET access 90.117.64.194:23 -> 192.168.2.23:34372
Source: Traffic	Snort IDS: 716 INFO TELNET access 90.117.64.194:23 -> 192.168.2.23:34370
Source: Traffic	Snort IDS: 716 INFO TELNET access 200.26.231.214:23 -> 192.168.2.23:54342
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.226.46.82:23 -> 192.168.2.23:50442
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 60.161.155.91:23 -> 192.168.2.23:55930
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 60.161.155.91:23 -> 192.168.2.23:55924
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.181.66.105:23 -> 192.168.2.23:55410
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.181.66.105:23 -> 192.168.2.23:55410
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.226.46.82:23 -> 192.168.2.23:50494
Source: Traffic	Snort IDS: 716 INFO TELNET access 113.108.203.2:23 -> 192.168.2.23:46256
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 219.85.187.41:23 -> 192.168.2.23:35200
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 219.85.187.41:23 -> 192.168.2.23:35200
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 90.117.64.194:23 -> 192.168.2.23:34362
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 90.117.64.194:23 -> 192.168.2.23:34362
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 90.117.64.194:23 -> 192.168.2.23:34366
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 90.117.64.194:23 -> 192.168.2.23:34366
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 90.117.64.194:23 -> 192.168.2.23:34368
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 90.117.64.194:23 -> 192.168.2.23:34368
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 90.117.64.194:23 -> 192.168.2.23:34372
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 90.117.64.194:23 -> 192.168.2.23:34372
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 90.117.64.194:23 -> 192.168.2.23:34364
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 90.117.64.194:23 -> 192.168.2.23:34364
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 90.117.64.194:23 -> 192.168.2.23:34370
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 90.117.64.194:23 -> 192.168.2.23:34370

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37334
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37340
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37348
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37352
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37356
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37364
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37366
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37376
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37396
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37416
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39298
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39304
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39318
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39320
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39326
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39328
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39334
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39336
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39340
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39338
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39346
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39344
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39350
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39360
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39390
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39352
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39460
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39476
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39492
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39498
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39424
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39428
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39454
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39492
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39504
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39552
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39690
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39712
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39732
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39782
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46008
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46052
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46068
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46086
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46096
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46108
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46130
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46144
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46164
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46210
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 33984
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 33998
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34002
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34010
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34012
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34022
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34044
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34046
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34058
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34062
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34064
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34082
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34090
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34092
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34108
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34114
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34116
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34138
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34142
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34146
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34162
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34172
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34182
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34210
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34218
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34226
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34274
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34278
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34288
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34314

Connects to many ports of the same IP (likely port scanning)

Show sources

Source: global traffic

TCP traffic: 107.189.5.196 ports 3175,62947,1,3,5,7

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: global traffic

TCP traffic: 192.168.2.23:47856 -> 107.189.5.196:3175

Source: /tmp/61KiF94nKN (PID: 5226)	Socket: 0.0.0.0::0
Source: /tmp/61KiF94nKN (PID: 5226)	Socket: 0.0.0.0::23
Source: /tmp/61KiF94nKN (PID: 5226)	Socket: 0.0.0.0::53413
Source: /tmp/61KiF94nKN (PID: 5226)	Socket: 0.0.0.0::80
Source: /tmp/61KiF94nKN (PID: 5226)	Socket: 0.0.0.0::52869
Source: /tmp/61KiF94nKN (PID: 5226)	Socket: 0.0.0.0::81
Source: /tmp/61KiF94nKN (PID: 5232)	Socket: 0.0.0.0::0
Source: /usr/sbin/sshd (PID: 5264)	Socket: 0.0.0.0::22
Source: /usr/sbin/sshd (PID: 5264)	Socket: [::]::22

Source: unknown

DNS traffic detected: queries for: xia.ddcch4ckserver.top

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 248.193.244.74
Source: unknown	TCP traffic detected without corresponding DNS query: 182.30.202.74
Source: unknown	TCP traffic detected without corresponding DNS query: 20.170.254.210
Source: unknown	TCP traffic detected without corresponding DNS query: 217.222.231.113
Source: unknown	TCP traffic detected without corresponding DNS query: 42.200.189.153
Source: unknown	TCP traffic detected without corresponding DNS query: 144.57.51.77
Source: unknown	TCP traffic detected without corresponding DNS query: 154.26.157.215
Source: unknown	TCP traffic detected without corresponding DNS query: 78.244.182.235
Source: unknown	TCP traffic detected without corresponding DNS query: 175.76.251.170
Source: unknown	TCP traffic detected without corresponding DNS query: 162.167.22.164
Source: unknown	TCP traffic detected without corresponding DNS query: 147.174.188.3
Source: unknown	TCP traffic detected without corresponding DNS query: 247.30.146.27
Source: unknown	TCP traffic detected without corresponding DNS query: 84.163.75.219
Source: unknown	TCP traffic detected without corresponding DNS query: 86.231.94.30
Source: unknown	TCP traffic detected without corresponding DNS query: 65.54.249.74
Source: unknown	TCP traffic detected without corresponding DNS query: 148.124.160.183
Source: unknown	TCP traffic detected without corresponding DNS query: 219.149.150.55
Source: unknown	TCP traffic detected without corresponding DNS query: 41.108.222.11
Source: unknown	TCP traffic detected without corresponding DNS query: 107.112.201.203
Source: unknown	TCP traffic detected without corresponding DNS query: 8.46.29.60
Source: unknown	TCP traffic detected without corresponding DNS query: 62.3.116.251
Source: unknown	TCP traffic detected without corresponding DNS query: 177.206.148.136
Source: unknown	TCP traffic detected without corresponding DNS query: 165.130.187.97
Source: unknown	TCP traffic detected without corresponding DNS query: 198.52.223.117
Source: unknown	TCP traffic detected without corresponding DNS query: 79.205.208.191
Source: unknown	TCP traffic detected without corresponding DNS query: 38.142.35.158
Source: unknown	TCP traffic detected without corresponding DNS query: 217.16.189.179
Source: unknown	TCP traffic detected without corresponding DNS query: 194.15.246.151
Source: unknown	TCP traffic detected without corresponding DNS query: 24.21.13.6
Source: unknown	TCP traffic detected without corresponding DNS query: 219.178.164.254
Source: unknown	TCP traffic detected without corresponding DNS query: 75.114.192.193
Source: unknown	TCP traffic detected without corresponding DNS query: 12.184.52.122
Source: unknown	TCP traffic detected without corresponding DNS query: 219.106.239.212
Source: unknown	TCP traffic detected without corresponding DNS query: 139.242.243.69
Source: unknown	TCP traffic detected without corresponding DNS query: 184.59.166.130
Source: unknown	TCP traffic detected without corresponding DNS query: 205.127.95.157
Source: unknown	TCP traffic detected without corresponding DNS query: 146.62.124.63
Source: unknown	TCP traffic detected without corresponding DNS query: 35.56.18.171
Source: unknown	TCP traffic detected without corresponding DNS query: 211.176.55.53
Source: unknown	TCP traffic detected without corresponding DNS query: 122.224.69.236
Source: unknown	TCP traffic detected without corresponding DNS query: 186.80.70.220
Source: unknown	TCP traffic detected without corresponding DNS query: 255.184.148.169
Source: unknown	TCP traffic detected without corresponding DNS query: 79.70.199.5
Source: unknown	TCP traffic detected without corresponding DNS query: 222.165.116.129
Source: unknown	TCP traffic detected without corresponding DNS query: 94.5.75.117
Source: unknown	TCP traffic detected without corresponding DNS query: 208.30.158.0
Source: unknown	TCP traffic detected without corresponding DNS query: 118.37.220.185
Source: unknown	TCP traffic detected without corresponding DNS query: 221.26.196.176
Source: unknown	TCP traffic detected without corresponding DNS query: 160.119.26.52
Source: unknown	TCP traffic detected without corresponding DNS query: 191.148.55.190

Source: ELF static info symbol of initial sample

.symtab present: no

Source: /tmp/61KiF94nKN (PID: 5226)	SIGKILL sent: pid: 936, result: successful
Source: /tmp/61KiF94nKN (PID: 5232)	SIGKILL sent: pid: 5266, result: successful
Source: /tmp/61KiF94nKN (PID: 5232)	SIGKILL sent: pid: 5269, result: successful

Source: classification engine

Classification label: mal72.troj.lin@0/2@13/0

Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/5261/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/5261/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/5262/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/5262/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/5264/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/5264/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/5266/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/2033/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/2033/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/1582/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/1582/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/2275/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/2275/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/5260/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/5260/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/1612/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/1612/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/1579/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/1579/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/1699/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/1699/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/1335/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/1335/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/1698/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/1698/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/2028/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/2028/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/1334/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/1334/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/1576/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/1576/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/2302/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/2302/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/3236/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/3236/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/2025/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/2025/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/2146/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/2146/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/5258/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/5258/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/5259/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/5259/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/912/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/912/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/759/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/759/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/2307/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/2307/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/918/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/918/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/1594/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/1594/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/2285/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/2285/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/2281/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/2281/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/1349/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/1349/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/1/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/1/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/1623/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/1623/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/761/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/761/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/1622/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/1622/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/884/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/884/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/1983/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/1983/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/2038/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/2038/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/1586/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/1586/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/1465/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/1465/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/1344/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/1344/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/1860/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/1860/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/1463/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/1463/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/2156/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/2156/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/800/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/800/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/5269/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/801/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/801/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/1629/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/1629/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/1627/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/1627/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/1900/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/1900/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/491/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/491/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/491/exe
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/2294/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/2294/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/2050/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/2050/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/1877/fd
Source: /tmp/61KiF94nKN (PID: 5232)	File opened: /proc/1877/fd

Hooking and other Techniques for Hiding and Protection:

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37334
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37340
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37348
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37352
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37356
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37364
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37366
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37376
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37396
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 37416
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39298
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39304
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39318
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39320
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39326
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39328
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39334
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39336
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39340
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39338
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39346
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39344
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39350
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39360
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39390
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39352
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39460
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39476
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39492
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39498
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39424
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39428
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39454
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39492
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39504
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39552
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39690
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39712
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39732
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 39782
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46008
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46052
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46068
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46086
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46096
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46108
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46130
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46144
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46164
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 46210
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 33984
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 33998
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34002
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34010
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34012
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34022
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34044
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34046
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34058
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34062
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34064
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34082
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34090
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34092
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34108
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34114
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34116
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34138
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34142
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34146
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34162
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34172
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34182
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34210
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34218
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34226
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34274
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34278
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34288
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34314

Source: /tmp/61KiF94nKN (PID: 5224)

Queries kernel information via 'uname':

Source: 61KiF94nKN, 5224.1.00000000af324111.000000003135ad2c.rw-.sdmp, 61KiF94nKN, 5226.1.00000000af324111.000000003135ad2c.rw-.sdmp, 61KiF94nKN, 5265.1.00000000af324111.000000003135ad2c.rw-.sdmp, 61KiF94nKN, 5266.1.00000000af324111.000000003135ad2c.rw-.sdmp, 61KiF94nKN, 5269.1.00000000af324111.000000003135ad2c.rw-.sdmp, 61KiF94nKN, 5276.1.00000000af324111.000000003135ad2c.rw-.sdmp, 61KiF94nKN, 5272.1.00000000af324111.000000003135ad2c.rw-.sdmp, 61KiF94nKN, 5227.1.00000000af324111.000000003135ad2c.rw-.sdmp, 61KiF94nKN, 5232.1.00000000af324111.000000003135ad2c.rw-.sdmp, 61KiF94nKN, 5233.1.00000000af324111.000000003135ad2c.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/sparc
Source: 61KiF94nKN, 5224.1.00000000af324111.000000003135ad2c.rw-.sdmp, 61KiF94nKN, 5226.1.00000000af324111.000000003135ad2c.rw-.sdmp, 61KiF94nKN, 5265.1.00000000af324111.000000003135ad2c.rw-.sdmp, 61KiF94nKN, 5266.1.00000000af324111.000000003135ad2c.rw-.sdmp, 61KiF94nKN, 5269.1.00000000af324111.000000003135ad2c.rw-.sdmp, 61KiF94nKN, 5276.1.00000000af324111.000000003135ad2c.rw-.sdmp, 61KiF94nKN, 5272.1.00000000af324111.000000003135ad2c.rw-.sdmp, 61KiF94nKN, 5227.1.00000000af324111.000000003135ad2c.rw-.sdmp, 61KiF94nKN, 5232.1.00000000af324111.000000003135ad2c.rw-.sdmp, 61KiF94nKN, 5233.1.00000000af324111.000000003135ad2c.rw-.sdmp	Binary or memory string: &4V!/etc/qemu-binfmt/sparc
Source: 61KiF94nKN, 5224.1.0000000028cb689c.00000000ff2bb44d.rw-.sdmp, 61KiF94nKN, 5226.1.0000000028cb689c.00000000ff2bb44d.rw-.sdmp, 61KiF94nKN, 5265.1.0000000028cb689c.00000000ff2bb44d.rw-.sdmp, 61KiF94nKN, 5266.1.0000000028cb689c.00000000ff2bb44d.rw-.sdmp, 61KiF94nKN, 5269.1.0000000028cb689c.00000000ff2bb44d.rw-.sdmp, 61KiF94nKN, 5276.1.0000000028cb689c.00000000ff2bb44d.rw-.sdmp, 61KiF94nKN, 5272.1.0000000028cb689c.00000000ff2bb44d.rw-.sdmp, 61KiF94nKN, 5227.1.0000000028cb689c.00000000ff2bb44d.rw-.sdmp, 61KiF94nKN, 5232.1.0000000028cb689c.00000000ff2bb44d.rw-.sdmp, 61KiF94nKN, 5233.1.0000000028cb689c.00000000ff2bb44d.rw-.sdmp	Binary or memory string: !x86_64/usr/bin/qemu-sparc/tmp/61KiF94nKNSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/61KiF94nKN
Source: 61KiF94nKN, 5224.1.0000000028cb689c.00000000ff2bb44d.rw-.sdmp, 61KiF94nKN, 5226.1.0000000028cb689c.00000000ff2bb44d.rw-.sdmp, 61KiF94nKN, 5265.1.0000000028cb689c.00000000ff2bb44d.rw-.sdmp, 61KiF94nKN, 5266.1.0000000028cb689c.00000000ff2bb44d.rw-.sdmp, 61KiF94nKN, 5269.1.0000000028cb689c.00000000ff2bb44d.rw-.sdmp, 61KiF94nKN, 5276.1.0000000028cb689c.00000000ff2bb44d.rw-.sdmp, 61KiF94nKN, 5272.1.0000000028cb689c.00000000ff2bb44d.rw-.sdmp, 61KiF94nKN, 5227.1.0000000028cb689c.00000000ff2bb44d.rw-.sdmp, 61KiF94nKN, 5232.1.0000000028cb689c.00000000ff2bb44d.rw-.sdmp, 61KiF94nKN, 5233.1.0000000028cb689c.00000000ff2bb44d.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sparc

Stealing of Sensitive Information:

Yara detected Mirai

Show sources

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality:

Yara detected Mirai

Show sources

Source: Yara match

File source: dump.pcap, type: PCAP

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping1	Security Software Discovery11	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port11	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
61KiF94nKN	37%	Virustotal		Browse
61KiF94nKN	40%	ReversingLabs	Linux.Trojan.Mirai

Dropped Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
xia.ddcch4ckserver.top	13%	Virustotal		Browse

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
xia.ddcch4ckserver.top	107.189.5.196	true	true	13%, Virustotal, Browse	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
246.249.140.98	unknown	Reserved	unknown	unknown	false
170.45.110.90	unknown	United States	264957	CoopercitrusCooperativadeProdutoresRuraisBR	false
47.252.160.8	unknown	United States	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	false
60.98.164.176	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
243.254.229.225	unknown	Reserved	unknown	unknown	false
5.218.173.229	unknown	Iran (ISLAMIC Republic Of)	197207	MCCI-ASIR	false
185.65.70.223	unknown	Turkey	201735	PROPHASE-ASES	false
168.71.172.254	unknown	United States	7018	ATT-INTERNET4US	false
163.112.118.125	unknown	France	17816	CHINA169-GZChinaUnicomIPnetworkChina169Guangdongprovi	false
68.151.112.93	unknown	Canada	6327	SHAWCA	false
133.89.64.217	unknown	Japan	2907	SINET-ASResearchOrganizationofInformationandSystemsN	false
244.197.160.238	unknown	Reserved	unknown	unknown	false
211.188.243.31	unknown	Korea Republic of	9644	SKTELECOM-NET-ASSKTelecomKR	false
80.124.79.187	unknown	France	15557	LDCOMNETFR	false
73.10.41.195	unknown	United States	7922	COMCAST-7922US	false
9.246.160.133	unknown	United States	3356	LEVEL3US	false
193.1.217.2	unknown	Ireland	1213	HEANETIE	false
89.82.198.141	unknown	France	5410	BOUYGTEL-ISPFR	false
191.82.108.49	unknown	Argentina	22927	TelefonicadeArgentinaAR	false
221.171.214.240	unknown	Japan	2518	BIGLOBEBIGLOBEIncJP	false
83.173.196.243	unknown	Switzerland	3303	SWISSCOMSwisscomSwitzerlandLtdCH	false
157.213.248.246	unknown	United States	4704	SANNETRakutenMobileIncJP	false
81.132.68.181	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	false
23.224.58.144	unknown	United States	40065	CNSERVERSUS	false
68.131.63.99	unknown	United States	701	UUNETUS	false
185.167.210.138	unknown	Czech Republic	199657	TOUSKOVNETCZ	false
74.112.219.16	unknown	United States	46132	VENTYX-AN-ABB-COMPANYUS	false
158.220.98.141	unknown	Switzerland	8556	LEVANTISCH	false
90.216.180.27	unknown	United Kingdom	5607	BSKYB-BROADBAND-ASGB	false
38.89.204.151	unknown	United States	174	COGENT-174US	false
254.94.23.229	unknown	Reserved	unknown	unknown	false
62.200.46.62	unknown	European Union	2686	ATGS-MMD-ASUS	false
59.51.33.190	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
143.28.20.34	unknown	United States	264008	LANCAMANTOANISERVICOSDEINFORMATICALTDA-MEBR	false
241.155.183.174	unknown	Reserved	unknown	unknown	false
45.234.130.236	unknown	Brazil	267365	GigaTecnologiaemRedeseInternetEIRELIBR	false
165.193.73.81	unknown	United States	3561	CENTURYLINK-LEGACY-SAVVISUS	false
48.185.159.34	unknown	United States	2686	ATGS-MMD-ASUS	false
135.93.177.171	unknown	United States	10455	LUCENT-CIOUS	false
41.228.193.93	unknown	Tunisia	37693	TUNISIANATN	false
142.5.110.19	unknown	Canada	46606	UNIFIEDLAYER-AS-1US	false
163.61.118.81	unknown	unknown	2516	KDDIKDDICORPORATIONJP	false
62.191.178.99	unknown	United Kingdom	5586	MCI-INTGB	false
125.175.21.204	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
120.113.153.90	unknown	Taiwan; Republic of China (ROC)	17716	NTU-TWNationalTaiwanUniversityTW	false
171.113.147.123	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
135.46.199.217	unknown	United States	54614	CIKTELECOM-CABLECA	false
166.149.86.237	unknown	United States	22394	CELLCOUS	false
8.138.12.41	unknown	Singapore	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
243.192.141.18	unknown	Reserved	unknown	unknown	false
192.237.118.230	unknown	United States	393238	IMONCUS	false
189.227.127.163	unknown	Mexico	8151	UninetSAdeCVMX	false
138.238.166.203	unknown	United States	33084	DC-NETUS	false
2.134.183.227	unknown	Kazakhstan	9198	KAZTELECOM-ASKZ	false
161.2.40.141	unknown	United Kingdom	15914	BritishAirwaysGB	false
173.154.95.216	unknown	United States	10507	SPCSUS	false
173.118.241.83	unknown	United States	10507	SPCSUS	false
115.234.54.210	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
222.124.195.220	unknown	Indonesia	17974	TELKOMNET-AS2-APPTTelekomunikasiIndonesiaID	false
105.16.125.186	unknown	Mauritius	37100	SEACOM-ASMU	false
255.1.14.8	unknown	Reserved	unknown	unknown	false
147.59.82.120	unknown	United States	1533	DNIC-AS-01533US	false
160.176.253.216	unknown	Morocco	36903	MT-MPLSMA	false
141.228.157.156	unknown	United Kingdom	12701	BARCAPLondonGB	false
109.146.97.99	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	false
77.229.193.246	unknown	Spain	12430	VODAFONE_ESES	false
205.213.14.73	unknown	United States	2381	WISCNET1-ASUS	false
85.33.215.213	unknown	Italy	3269	ASN-IBSNAZIT	false
84.116.116.153	unknown	Netherlands	6830	LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding	false
161.252.120.236	unknown	Kuwait	42781	ZNETAS-KW	false
123.179.22.94	unknown	China	4809	CHINATELECOM-CORE-WAN-CN2ChinaTelecomNextGenerationCarr	false
194.215.184.123	unknown	Finland	1759	TSF-IP-CORETeliaFinlandOyjEU	false
146.24.187.201	unknown	United States	197938	TRAVIANGAMESDE	false
44.79.138.141	unknown	United States	7377	UCSDUS	false
99.190.186.31	unknown	United States	7018	ATT-INTERNET4US	false
119.47.10.35	unknown	Japan	55385	DADigitalAllianceCoLtdJP	false
145.25.161.151	unknown	Netherlands	1103	SURFNET-NLSURFnetTheNetherlandsNL	false
177.185.203.216	unknown	Brazil	28299	IPV6InternetLtdaBR	false
110.62.148.219	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
213.198.183.239	unknown	Italy	15589	ASN-CLOUDITALIAIT	false
97.82.62.213	unknown	United States	20115	CHARTER-20115US	false
14.45.175.64	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
95.194.248.76	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	false
209.198.18.216	unknown	United States	31996	ZOOMTCUS	false
85.40.82.1	unknown	Italy	3269	ASN-IBSNAZIT	false
70.37.55.85	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
98.155.194.88	unknown	United States	20001	TWC-20001-PACWESTUS	false
18.125.179.241	unknown	United States	3	MIT-GATEWAYSUS	false
148.43.100.233	unknown	United States	6400	CompaniaDominicanadeTelefonosSADO	false
19.44.33.247	unknown	United States	3	MIT-GATEWAYSUS	false
219.181.80.241	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
89.207.8.195	unknown	Switzerland	31662	KNSURSELVAKommunikationsNetzSurselvaCH	false
35.198.202.160	unknown	United States	15169	GOOGLEUS	false
43.133.6.103	unknown	Japan	4249	LILLY-ASUS	false
53.71.21.3	unknown	Germany	31399	DAIMLER-ASITIGNGlobalNetworkDE	false
113.19.180.129	unknown	India	23772	ORTELNET-ASMsOrtelCommunicationsLtdIN	false
194.12.240.1	unknown	Bulgaria	8262	EVOLINK-ASBG	false
253.82.17.118	unknown	Reserved	unknown	unknown	false
218.124.198.24	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
92.98.39.146	unknown	United Arab Emirates	5384	EMIRATES-INTERNETEmiratesInternetAE	false

Runtime Messages

Command:	/tmp/61KiF94nKN
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	Infected By Akiru
Standard Error:

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
254.94.23.229	Darknet.x86	Get hash	malicious	Browse
211.188.243.31	3DAMhv0DFI	Get hash	malicious	Browse
193.1.217.2	X5bKvoLX1E	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
xia.ddcch4ckserver.top	GuSrMsLH0y	Get hash	malicious	Browse	107.189.5.196
	e8cvIYg1a3	Get hash	malicious	Browse	107.189.5.196
	wCEe6Y5TGI	Get hash	malicious	Browse	107.189.5.196
	Xp9AXIBaBp	Get hash	malicious	Browse	107.189.5.196

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CoopercitrusCooperativadeProdutoresRuraisBR	sora.x86	Get hash	malicious	Browse	170.37.47.60
	l8np4x8FGL	Get hash	malicious	Browse	170.40.43.249
	ZOi52gHoIY	Get hash	malicious	Browse	170.40.43.244
	M0ek1k58Q3	Get hash	malicious	Browse	170.41.140.221
	KKveTTgaAAsecNNaaaa.x86-20211122-0650	Get hash	malicious	Browse	170.1.225.236
	6L1AGNUMgk	Get hash	malicious	Browse	170.45.183.59
	mfFr814Hup	Get hash	malicious	Browse	170.40.43.210
	4i9Yl7vp8B	Get hash	malicious	Browse	170.40.43.243
	8cpsKRnU4r	Get hash	malicious	Browse	170.45.183.54
	K1kUt3MxkS	Get hash	malicious	Browse	170.0.2.234
	bRQTHkekvv	Get hash	malicious	Browse	170.43.8.208
	RJHE1O7ZBF	Get hash	malicious	Browse	170.45.183.15
	HT7gBWexDX	Get hash	malicious	Browse	170.45.183.36
	DGxCnji49S	Get hash	malicious	Browse	170.45.134.66
	iQGF9sgxaB	Get hash	malicious	Browse	170.44.221.217
	z0x3n.x86-20211110-2150	Get hash	malicious	Browse	170.36.107.18
	pt7DJSPfna	Get hash	malicious	Browse	170.37.13.129
	QsSD7q2BRO	Get hash	malicious	Browse	170.45.109.60
	sora.arm	Get hash	malicious	Browse	170.40.43.246
	wRmHCEnowI	Get hash	malicious	Browse	170.40.43.214
GIGAINFRASoftbankBBCorpJP	GuSrMsLH0y	Get hash	malicious	Browse	221.75.228.134
	wCEe6Y5TGI	Get hash	malicious	Browse	220.0.129.221
	arm7	Get hash	malicious	Browse	218.121.111.189
	x86	Get hash	malicious	Browse	221.87.19.65
	arm	Get hash	malicious	Browse	126.22.226.224
	rELGr0VELq	Get hash	malicious	Browse	126.165.234.100
	ThhBCrYJCm	Get hash	malicious	Browse	221.73.91.128
	R5UqytMpoF	Get hash	malicious	Browse	126.25.240.2
	sora.x86	Get hash	malicious	Browse	220.19.206.59
	sora.arm7	Get hash	malicious	Browse	221.87.68.14
	sora.arm	Get hash	malicious	Browse	126.180.101.68
	OhDPOb1tfB	Get hash	malicious	Browse	126.215.126.182
	b3astmode.arm7	Get hash	malicious	Browse	221.17.155.132
	b3astmode.arm	Get hash	malicious	Browse	221.28.251.112
	tPC6yuAhsc	Get hash	malicious	Browse	126.98.144.148
	sora.x86	Get hash	malicious	Browse	126.195.188.132
	0VIoO2ovmF	Get hash	malicious	Browse	220.1.225.135
	6Zcc7k2JZy	Get hash	malicious	Browse	60.86.254.14
	nKv4cxjIx6	Get hash	malicious	Browse	219.18.123.200
	apep.arm7	Get hash	malicious	Browse	160.24.170.153
CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	780426DE24AE46F300FDAF9CBF597C8F2164F7B6C525C.exe	Get hash	malicious	Browse	47.251.42.216
	Kq8hjfiv87.exe	Get hash	malicious	Browse	47.251.42.216
	C7304FF0966068D305DA031F9DA60C5B0EBE32AC43533.exe	Get hash	malicious	Browse	47.251.42.216
	arm	Get hash	malicious	Browse	8.208.25.42
	f2Y03RRaRe.exe	Get hash	malicious	Browse	8.209.79.122
	DrC7J6YQnm.exe	Get hash	malicious	Browse	8.209.71.17
	tips-5067550674.xls	Get hash	malicious	Browse	149.129.254.152
	tips920293137.xls	Get hash	malicious	Browse	149.129.254.152
	tips920293137.xls	Get hash	malicious	Browse	149.129.254.152
	156219029342206-107-0_attach.1.payment 264494490.xls	Get hash	malicious	Browse	149.129.254.152
	NVTNgwAjOK	Get hash	malicious	Browse	8.212.11.154
	RFQ-CIF DT22.doc	Get hash	malicious	Browse	47.241.96.113
	order 4544471372.xls	Get hash	malicious	Browse	149.129.254.152
	order 4544471372.xls	Get hash	malicious	Browse	149.129.254.152
	SecuriteInfo.com.Heur.31616.xls	Get hash	malicious	Browse	149.129.254.152
	SecuriteInfo.com.Heur.26641.xls	Get hash	malicious	Browse	149.129.254.152
	SecuriteInfo.com.Heur.5035.doc	Get hash	malicious	Browse	8.209.79.68
	SecuriteInfo.com.Heur.6074.doc	Get hash	malicious	Browse	8.209.79.68
	plans_48055147646.xls	Get hash	malicious	Browse	149.129.254.152
	plans_48055147646.xls	Get hash	malicious	Browse	149.129.254.152

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

/proc/5264/oom_score_adj Download File
Process:	/usr/sbin/sshd
File Type:	ASCII text
Category:	dropped
Size (bytes):	6
Entropy (8bit):	1.7924812503605778
Encrypted:	false
SSDEEP:	3:ptn:Dn
MD5:	CBF282CC55ED0792C33D10003D1F760A
SHA1:	007DD8BD75468E6B7ABA4285E9B267202C7EAEED
SHA-256:	FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
SHA-512:	4643A8675D213C7DA35CC0C2BFB3B6F20324F9C48AEA7BA79F470615698C9A0CEFDA45CAA1957FC29110EE746BC8458AB8AB1E43EB513912A5E1E8858812CC00
Malicious:	false
Reputation:	high, very likely benign file
Preview:	-1000.

/run/sshd.pid Download File
Process:	/usr/sbin/sshd
File Type:	ASCII text
Category:	dropped
Size (bytes):	5
Entropy (8bit):	2.321928094887362
Encrypted:	false
SSDEEP:	3:Ct:Ct
MD5:	ED62F87F4EC9699FDAD6BAFEFC371E3D
SHA1:	F14CB0851A26C184C7614A62326934CBFDA85155
SHA-256:	EB4EE1B62A4108FE56E980DC18F22FA746F5060A5265EA1E101CB5CBA1F6F43E
SHA-512:	C3111F12F3B9DF49EBC63F082C6B267AE6DB6AC567E258584F5C8883B17DC683CE947F9BBF8E99F706C31ECB1B74EA7D6BCEA9F8F2D0BC668DF14123EF6B246B
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	5264.

Static File Info

General
File type:	ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.009298823803464
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	61KiF94nKN
File size:	66380
MD5:	06d58f655cb40ee644bd74e19483ba8b
SHA1:	84a92f7b7855ef9f1ec12e10ef38b3bc7045d903
SHA256:	e0f8643b2d10593678b16fdaab7bc4a070cdbe4a8a617b0a37bda328f4002235
SHA512:	c1f7006c3f4a845df1b582b2fb6fcdfe83a033b8dd7cb9c7cde7afbcbce3ac57a467feda72f1c77d44843f05ca725ce50d6db93edf61f7680d247ca3258a4bc4
SSDEEP:	1536:0dn1Jb3SdNySlmbWfuPA+CbsyGjoycpbY+WJ:suv1sbWfu4Tsffcp0+WJ
File Content Preview:	.ELF...........................4.........4. ...(....................... ... ...........................\|............dt.Q................................@..(....@.<.................#.....a...`.....!..... ...@.....".........`......$ ... ...@...........`....

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	Sparc
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x101a4
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	65980
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x10094	0x94	0x1c	0x0	0x6	AX	4
.text	PROGBITS	0x100b0	0xb0	0xf3e8	0x0	0x6	AX	4
.fini	PROGBITS	0x1f498	0xf498	0x14	0x0	0x6	AX	4
.rodata	PROGBITS	0x1f4b0	0xf4b0	0x870	0x0	0x2	A	8
.ctors	PROGBITS	0x20000	0x10000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x20008	0x10008	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x20018	0x10018	0x164	0x0	0x3	WA	8
.bss	NOBITS	0x20180	0x1017c	0x310	0x0	0x3	WA	8
.shstrtab	STRTAB	0x0	0x1017c	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x10000	0x10000	0xfd20	0xfd20	3.3193	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0x10000	0x20000	0x20000	0x17c	0x490	0.4307	0x6	RW	0x10000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 4, 2021 22:45:34.410459995 CET	47856	3175	192.168.2.23	107.189.5.196
Dec 4, 2021 22:45:34.439884901 CET	3175	47856	107.189.5.196	192.168.2.23
Dec 4, 2021 22:45:34.440021992 CET	47856	3175	192.168.2.23	107.189.5.196
Dec 4, 2021 22:45:34.440248013 CET	47856	3175	192.168.2.23	107.189.5.196
Dec 4, 2021 22:45:34.469099045 CET	3175	47856	107.189.5.196	192.168.2.23
Dec 4, 2021 22:45:34.469194889 CET	47856	3175	192.168.2.23	107.189.5.196
Dec 4, 2021 22:45:34.488081932 CET	20501	23	192.168.2.23	248.193.244.74
Dec 4, 2021 22:45:34.488213062 CET	20501	23	192.168.2.23	182.30.202.74
Dec 4, 2021 22:45:34.488331079 CET	20501	23	192.168.2.23	20.170.254.210
Dec 4, 2021 22:45:34.488363028 CET	20501	23	192.168.2.23	217.222.231.113
Dec 4, 2021 22:45:34.488392115 CET	20501	23	192.168.2.23	42.200.189.153
Dec 4, 2021 22:45:34.488398075 CET	20501	23	192.168.2.23	144.57.51.77
Dec 4, 2021 22:45:34.488399982 CET	20501	23	192.168.2.23	154.26.157.215
Dec 4, 2021 22:45:34.488399982 CET	20501	23	192.168.2.23	78.244.182.235
Dec 4, 2021 22:45:34.488426924 CET	20501	23	192.168.2.23	175.76.251.170
Dec 4, 2021 22:45:34.488524914 CET	20501	23	192.168.2.23	162.167.22.164
Dec 4, 2021 22:45:34.488684893 CET	20501	23	192.168.2.23	147.174.188.3
Dec 4, 2021 22:45:34.488699913 CET	20501	23	192.168.2.23	247.30.146.27
Dec 4, 2021 22:45:34.488746881 CET	20501	23	192.168.2.23	84.163.75.219
Dec 4, 2021 22:45:34.488754034 CET	20501	23	192.168.2.23	86.231.94.30
Dec 4, 2021 22:45:34.488761902 CET	20501	23	192.168.2.23	65.54.249.74
Dec 4, 2021 22:45:34.488817930 CET	20501	23	192.168.2.23	148.124.160.183
Dec 4, 2021 22:45:34.488969088 CET	20501	23	192.168.2.23	219.149.150.55
Dec 4, 2021 22:45:34.488981009 CET	20501	23	192.168.2.23	41.108.222.11
Dec 4, 2021 22:45:34.489058971 CET	20501	23	192.168.2.23	107.112.201.203
Dec 4, 2021 22:45:34.489156961 CET	20501	23	192.168.2.23	8.46.29.60
Dec 4, 2021 22:45:34.489168882 CET	20501	23	192.168.2.23	62.3.116.251
Dec 4, 2021 22:45:34.489172935 CET	20501	23	192.168.2.23	177.206.148.136
Dec 4, 2021 22:45:34.489187956 CET	20501	23	192.168.2.23	165.130.187.97
Dec 4, 2021 22:45:34.489317894 CET	20501	23	192.168.2.23	198.52.223.117
Dec 4, 2021 22:45:34.489336014 CET	20501	23	192.168.2.23	79.205.208.191
Dec 4, 2021 22:45:34.489345074 CET	20501	23	192.168.2.23	38.142.35.158
Dec 4, 2021 22:45:34.489389896 CET	20501	23	192.168.2.23	217.16.189.179
Dec 4, 2021 22:45:34.489413023 CET	20501	23	192.168.2.23	194.15.246.151
Dec 4, 2021 22:45:34.489438057 CET	20501	23	192.168.2.23	24.21.13.6
Dec 4, 2021 22:45:34.489563942 CET	20501	23	192.168.2.23	162.2.210.17
Dec 4, 2021 22:45:34.489590883 CET	20501	23	192.168.2.23	219.178.164.254
Dec 4, 2021 22:45:34.489603043 CET	20501	23	192.168.2.23	75.114.192.193
Dec 4, 2021 22:45:34.489629984 CET	20501	23	192.168.2.23	12.184.52.122
Dec 4, 2021 22:45:34.489639997 CET	20501	23	192.168.2.23	219.106.239.212
Dec 4, 2021 22:45:34.489686012 CET	20501	23	192.168.2.23	139.242.243.69
Dec 4, 2021 22:45:34.489737034 CET	20501	23	192.168.2.23	184.59.166.130
Dec 4, 2021 22:45:34.489785910 CET	20501	23	192.168.2.23	205.127.95.157
Dec 4, 2021 22:45:34.489914894 CET	20501	23	192.168.2.23	146.62.124.63
Dec 4, 2021 22:45:34.489996910 CET	20501	23	192.168.2.23	35.56.18.171
Dec 4, 2021 22:45:34.490010023 CET	20501	23	192.168.2.23	211.176.55.53
Dec 4, 2021 22:45:34.490026951 CET	20501	23	192.168.2.23	122.224.69.236
Dec 4, 2021 22:45:34.490058899 CET	20501	23	192.168.2.23	186.80.70.220
Dec 4, 2021 22:45:34.490073919 CET	20501	23	192.168.2.23	255.184.148.169
Dec 4, 2021 22:45:34.490091085 CET	20501	23	192.168.2.23	79.70.199.5
Dec 4, 2021 22:45:34.490104914 CET	20501	23	192.168.2.23	222.165.116.129
Dec 4, 2021 22:45:34.490117073 CET	20501	23	192.168.2.23	94.5.75.117
Dec 4, 2021 22:45:34.490180016 CET	20501	23	192.168.2.23	208.30.158.0
Dec 4, 2021 22:45:34.490200043 CET	20501	23	192.168.2.23	118.37.220.185
Dec 4, 2021 22:45:34.490255117 CET	20501	23	192.168.2.23	221.26.196.176
Dec 4, 2021 22:45:34.490299940 CET	20501	23	192.168.2.23	160.119.26.52
Dec 4, 2021 22:45:34.490324974 CET	20501	23	192.168.2.23	191.148.55.190
Dec 4, 2021 22:45:34.490372896 CET	20501	23	192.168.2.23	197.98.116.127
Dec 4, 2021 22:45:34.490405083 CET	20501	23	192.168.2.23	244.146.147.1
Dec 4, 2021 22:45:34.490411997 CET	20501	23	192.168.2.23	54.11.13.132
Dec 4, 2021 22:45:34.490427017 CET	20501	23	192.168.2.23	147.189.82.55
Dec 4, 2021 22:45:34.490470886 CET	20501	23	192.168.2.23	110.42.16.236
Dec 4, 2021 22:45:34.490485907 CET	20501	23	192.168.2.23	48.1.91.144
Dec 4, 2021 22:45:34.490489006 CET	20501	23	192.168.2.23	190.105.59.8
Dec 4, 2021 22:45:34.490514040 CET	20501	23	192.168.2.23	65.173.100.107
Dec 4, 2021 22:45:34.490528107 CET	20501	23	192.168.2.23	181.147.251.118
Dec 4, 2021 22:45:34.490782022 CET	20501	23	192.168.2.23	67.10.193.232
Dec 4, 2021 22:45:34.490835905 CET	20501	23	192.168.2.23	157.226.68.20
Dec 4, 2021 22:45:34.490860939 CET	20501	23	192.168.2.23	198.81.182.95
Dec 4, 2021 22:45:34.490869999 CET	20501	23	192.168.2.23	77.98.224.151
Dec 4, 2021 22:45:34.491029024 CET	20501	23	192.168.2.23	74.232.6.86
Dec 4, 2021 22:45:34.491049051 CET	20501	23	192.168.2.23	221.238.143.8
Dec 4, 2021 22:45:34.491050959 CET	20501	23	192.168.2.23	217.63.27.189
Dec 4, 2021 22:45:34.491071939 CET	20501	23	192.168.2.23	84.99.94.108
Dec 4, 2021 22:45:34.491096020 CET	20501	23	192.168.2.23	92.13.52.23
Dec 4, 2021 22:45:34.491103888 CET	20501	23	192.168.2.23	108.162.86.130
Dec 4, 2021 22:45:34.491199017 CET	20501	23	192.168.2.23	204.55.70.130
Dec 4, 2021 22:45:34.491277933 CET	20501	23	192.168.2.23	199.119.255.193
Dec 4, 2021 22:45:34.491390944 CET	20501	23	192.168.2.23	104.170.68.59
Dec 4, 2021 22:45:34.491410971 CET	20501	23	192.168.2.23	90.97.94.152
Dec 4, 2021 22:45:34.491425991 CET	20501	23	192.168.2.23	165.174.15.118
Dec 4, 2021 22:45:34.491439104 CET	20501	23	192.168.2.23	61.104.64.148
Dec 4, 2021 22:45:34.491452932 CET	20501	23	192.168.2.23	218.162.113.198
Dec 4, 2021 22:45:34.491466045 CET	20501	23	192.168.2.23	42.200.244.240
Dec 4, 2021 22:45:34.491481066 CET	20501	23	192.168.2.23	111.107.17.158
Dec 4, 2021 22:45:34.491534948 CET	20501	23	192.168.2.23	177.38.223.139
Dec 4, 2021 22:45:34.491554976 CET	20501	23	192.168.2.23	13.2.160.160
Dec 4, 2021 22:45:34.491584063 CET	20501	23	192.168.2.23	204.160.232.196
Dec 4, 2021 22:45:34.491616011 CET	20501	23	192.168.2.23	12.238.221.189
Dec 4, 2021 22:45:34.491662979 CET	20501	23	192.168.2.23	246.54.140.13
Dec 4, 2021 22:45:34.491723061 CET	20501	23	192.168.2.23	164.208.182.69
Dec 4, 2021 22:45:34.491760015 CET	20501	23	192.168.2.23	251.108.61.171
Dec 4, 2021 22:45:34.491836071 CET	20501	23	192.168.2.23	63.37.121.122
Dec 4, 2021 22:45:34.491846085 CET	20501	23	192.168.2.23	110.192.141.151
Dec 4, 2021 22:45:34.491887093 CET	20501	23	192.168.2.23	99.162.195.67
Dec 4, 2021 22:45:34.491902113 CET	20501	23	192.168.2.23	24.224.53.184
Dec 4, 2021 22:45:34.491949081 CET	20501	23	192.168.2.23	2.162.30.179
Dec 4, 2021 22:45:34.492008924 CET	20501	23	192.168.2.23	188.69.83.158
Dec 4, 2021 22:45:34.492062092 CET	20501	23	192.168.2.23	180.68.210.119
Dec 4, 2021 22:45:34.492064953 CET	20501	23	192.168.2.23	179.200.223.50

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Dec 4, 2021 22:45:34.386389017 CET	192.168.2.23	8.8.8.8	0xba5a	Standard query (0)	xia.ddcch4ckserver.top	A (IP address)	IN (0x0001)
Dec 4, 2021 22:45:42.784358025 CET	192.168.2.23	8.8.8.8	0xba5a	Standard query (0)	xia.ddcch4ckserver.top	A (IP address)	IN (0x0001)
Dec 4, 2021 22:45:42.874461889 CET	192.168.2.23	8.8.8.8	0xba5a	Standard query (0)	xia.ddcch4ckserver.top	A (IP address)	IN (0x0001)
Dec 4, 2021 22:45:56.854185104 CET	192.168.2.23	8.8.8.8	0x6ef4	Standard query (0)	xia.ddcch4ckserver.top	A (IP address)	IN (0x0001)
Dec 4, 2021 22:46:03.318275928 CET	192.168.2.23	8.8.8.8	0xd2d4	Standard query (0)	xia.ddcch4ckserver.top	A (IP address)	IN (0x0001)
Dec 4, 2021 22:46:03.596966982 CET	192.168.2.23	8.8.8.8	0x2b86	Standard query (0)	xia.ddcch4ckserver.top	A (IP address)	IN (0x0001)
Dec 4, 2021 22:46:09.163847923 CET	192.168.2.23	8.8.8.8	0xb537	Standard query (0)	xia.ddcch4ckserver.top	A (IP address)	IN (0x0001)
Dec 4, 2021 22:46:33.807394981 CET	192.168.2.23	8.8.8.8	0x477c	Standard query (0)	xia.ddcch4ckserver.top	A (IP address)	IN (0x0001)
Dec 4, 2021 22:46:55.184551001 CET	192.168.2.23	8.8.8.8	0x57bd	Standard query (0)	xia.ddcch4ckserver.top	A (IP address)	IN (0x0001)
Dec 4, 2021 22:47:03.980705023 CET	192.168.2.23	8.8.8.8	0xd143	Standard query (0)	xia.ddcch4ckserver.top	A (IP address)	IN (0x0001)
Dec 4, 2021 22:47:04.723417997 CET	192.168.2.23	8.8.8.8	0xf816	Standard query (0)	xia.ddcch4ckserver.top	A (IP address)	IN (0x0001)
Dec 4, 2021 22:47:05.338871956 CET	192.168.2.23	8.8.8.8	0x1c2c	Standard query (0)	xia.ddcch4ckserver.top	A (IP address)	IN (0x0001)
Dec 4, 2021 22:47:45.619473934 CET	192.168.2.23	8.8.8.8	0x203b	Standard query (0)	xia.ddcch4ckserver.top	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Dec 4, 2021 22:45:34.409746885 CET	8.8.8.8	192.168.2.23	0xba5a	No error (0)	xia.ddcch4ckserver.top	107.189.5.196	A (IP address)	IN (0x0001)
Dec 4, 2021 22:45:42.890985012 CET	8.8.8.8	192.168.2.23	0xba5a	No error (0)	xia.ddcch4ckserver.top	107.189.5.196	A (IP address)	IN (0x0001)
Dec 4, 2021 22:45:42.895654917 CET	8.8.8.8	192.168.2.23	0xba5a	No error (0)	xia.ddcch4ckserver.top	107.189.5.196	A (IP address)	IN (0x0001)
Dec 4, 2021 22:45:56.872252941 CET	8.8.8.8	192.168.2.23	0x6ef4	No error (0)	xia.ddcch4ckserver.top	107.189.5.196	A (IP address)	IN (0x0001)
Dec 4, 2021 22:46:03.609237909 CET	8.8.8.8	192.168.2.23	0xd2d4	No error (0)	xia.ddcch4ckserver.top	107.189.5.196	A (IP address)	IN (0x0001)
Dec 4, 2021 22:46:03.615993023 CET	8.8.8.8	192.168.2.23	0x2b86	No error (0)	xia.ddcch4ckserver.top	107.189.5.196	A (IP address)	IN (0x0001)
Dec 4, 2021 22:46:09.183428049 CET	8.8.8.8	192.168.2.23	0xb537	No error (0)	xia.ddcch4ckserver.top	107.189.5.196	A (IP address)	IN (0x0001)
Dec 4, 2021 22:46:34.152484894 CET	8.8.8.8	192.168.2.23	0x477c	No error (0)	xia.ddcch4ckserver.top	107.189.5.196	A (IP address)	IN (0x0001)
Dec 4, 2021 22:46:55.204437017 CET	8.8.8.8	192.168.2.23	0x57bd	No error (0)	xia.ddcch4ckserver.top	107.189.5.196	A (IP address)	IN (0x0001)
Dec 4, 2021 22:47:04.003648996 CET	8.8.8.8	192.168.2.23	0xd143	No error (0)	xia.ddcch4ckserver.top	107.189.5.196	A (IP address)	IN (0x0001)
Dec 4, 2021 22:47:04.741116047 CET	8.8.8.8	192.168.2.23	0xf816	No error (0)	xia.ddcch4ckserver.top	107.189.5.196	A (IP address)	IN (0x0001)
Dec 4, 2021 22:47:05.358477116 CET	8.8.8.8	192.168.2.23	0x1c2c	No error (0)	xia.ddcch4ckserver.top	107.189.5.196	A (IP address)	IN (0x0001)
Dec 4, 2021 22:47:45.642565966 CET	8.8.8.8	192.168.2.23	0x203b	No error (0)	xia.ddcch4ckserver.top	107.189.5.196	A (IP address)	IN (0x0001)

System Behavior

Analysis Process: 61KiF94nKN PID: 5224 Parent PID: 5117

General

Start time:	22:45:33
Start date:	04/12/2021
Path:	/tmp/61KiF94nKN
Arguments:	/tmp/61KiF94nKN
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: 61KiF94nKN PID: 5226 Parent PID: 5224

General

Start time:	22:45:33
Start date:	04/12/2021
Path:	/tmp/61KiF94nKN
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: 61KiF94nKN PID: 5265 Parent PID: 5226

General

Start time:	22:45:40
Start date:	04/12/2021
Path:	/tmp/61KiF94nKN
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: 61KiF94nKN PID: 5266 Parent PID: 5226

General

Start time:	22:45:41
Start date:	04/12/2021
Path:	/tmp/61KiF94nKN
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: 61KiF94nKN PID: 5269 Parent PID: 5266

General

Start time:	22:45:41
Start date:	04/12/2021
Path:	/tmp/61KiF94nKN
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: 61KiF94nKN PID: 5276 Parent PID: 5269

General

Start time:	22:45:42
Start date:	04/12/2021
Path:	/tmp/61KiF94nKN
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: 61KiF94nKN PID: 5278 Parent PID: 5269

General

Start time:	22:45:42
Start date:	04/12/2021
Path:	/tmp/61KiF94nKN
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: 61KiF94nKN PID: 5300 Parent PID: 5278

General

Start time:	22:46:08
Start date:	04/12/2021
Path:	/tmp/61KiF94nKN
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: 61KiF94nKN PID: 5272 Parent PID: 5266

General

Start time:	22:45:41
Start date:	04/12/2021
Path:	/tmp/61KiF94nKN
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: 61KiF94nKN PID: 5274 Parent PID: 5266

General

Start time:	22:45:41
Start date:	04/12/2021
Path:	/tmp/61KiF94nKN
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: 61KiF94nKN PID: 5315 Parent PID: 5274

General

Start time:	22:46:33
Start date:	04/12/2021
Path:	/tmp/61KiF94nKN
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: 61KiF94nKN PID: 5358 Parent PID: 5274

General

Start time:	22:47:44
Start date:	04/12/2021
Path:	/tmp/61KiF94nKN
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: 61KiF94nKN PID: 5227 Parent PID: 5224

General

Start time:	22:45:33
Start date:	04/12/2021
Path:	/tmp/61KiF94nKN
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: 61KiF94nKN PID: 5228 Parent PID: 5224

General

Start time:	22:45:33
Start date:	04/12/2021
Path:	/tmp/61KiF94nKN
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: 61KiF94nKN PID: 5232 Parent PID: 5228

General

Start time:	22:45:33
Start date:	04/12/2021
Path:	/tmp/61KiF94nKN
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: 61KiF94nKN PID: 5233 Parent PID: 5228

General

Start time:	22:45:33
Start date:	04/12/2021
Path:	/tmp/61KiF94nKN
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: 61KiF94nKN PID: 5235 Parent PID: 5228

General

Start time:	22:45:33
Start date:	04/12/2021
Path:	/tmp/61KiF94nKN
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: 61KiF94nKN PID: 5288 Parent PID: 5235

General

Start time:	22:45:56
Start date:	04/12/2021
Path:	/tmp/61KiF94nKN
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: 61KiF94nKN PID: 5296 Parent PID: 5288

General

Start time:	22:46:02
Start date:	04/12/2021
Path:	/tmp/61KiF94nKN
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: 61KiF94nKN PID: 5294 Parent PID: 5235

General

Start time:	22:46:02
Start date:	04/12/2021
Path:	/tmp/61KiF94nKN
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: 61KiF94nKN PID: 5326 Parent PID: 5294

General

Start time:	22:46:54
Start date:	04/12/2021
Path:	/tmp/61KiF94nKN
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: 61KiF94nKN PID: 5332 Parent PID: 5326

General

Start time:	22:47:03
Start date:	04/12/2021
Path:	/tmp/61KiF94nKN
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: 61KiF94nKN PID: 5336 Parent PID: 5332

General

Start time:	22:47:04
Start date:	04/12/2021
Path:	/tmp/61KiF94nKN
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: 61KiF94nKN PID: 5334 Parent PID: 5326

General

Start time:	22:47:03
Start date:	04/12/2021
Path:	/tmp/61KiF94nKN
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Analysis Process: systemd PID: 5263 Parent PID: 1

General

Start time:	22:45:40
Start date:	04/12/2021
Path:	/usr/lib/systemd/systemd
Arguments:	n/a
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Analysis Process: sshd PID: 5263 Parent PID: 1

General

Start time:	22:45:40
Start date:	04/12/2021
Path:	/usr/sbin/sshd
Arguments:	/usr/sbin/sshd -t
File size:	876328 bytes
MD5 hash:	dbca7a6bbf7bf57fedac243d4b2cb340

Analysis Process: systemd PID: 5264 Parent PID: 1

General

Start time:	22:45:40
Start date:	04/12/2021
Path:	/usr/lib/systemd/systemd
Arguments:	n/a
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Analysis Process: sshd PID: 5264 Parent PID: 1

General

Start time:	22:45:40
Start date:	04/12/2021
Path:	/usr/sbin/sshd
Arguments:	/usr/sbin/sshd -D
File size:	876328 bytes
MD5 hash:	dbca7a6bbf7bf57fedac243d4b2cb340

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Linux Analysis Report 61KiF94nKN

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Process Tree

Yara Overview

PCAP (Network Traffic)

Jbx Signature Overview

AV Detection:

Networking:

System Summary:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

Public

Runtime Messages

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: 61KiF94nKN PID: 5224 Parent PID: 5117

General

Analysis Process: 61KiF94nKN PID: 5226 Parent PID: 5224

General

Analysis Process: 61KiF94nKN PID: 5265 Parent PID: 5226

General

Analysis Process: 61KiF94nKN PID: 5266 Parent PID: 5226

General

Analysis Process: 61KiF94nKN PID: 5269 Parent PID: 5266

General

Analysis Process: 61KiF94nKN PID: 5276 Parent PID: 5269

General

Analysis Process: 61KiF94nKN PID: 5278 Parent PID: 5269

General

Analysis Process: 61KiF94nKN PID: 5300 Parent PID: 5278

General

Analysis Process: 61KiF94nKN PID: 5272 Parent PID: 5266

General

Analysis Process: 61KiF94nKN PID: 5274 Parent PID: 5266

General

Analysis Process: 61KiF94nKN PID: 5315 Parent PID: 5274