Loading ...

Play interactive tourEdit tour

Linux Analysis Report SedZv73LJb

Overview

General Information

Sample Name:SedZv73LJb
Analysis ID:537271
MD5:bdc02fe5c4e820cc750d4b5b7280f2cd
SHA1:d49ff96bbfbd990ffdb4727a809b97eb05bf1c2a
SHA256:a06645dcacd00b2ffa5db96729241c355e012fa87a2ef16d595a4bac7a7dcd10
Tags:32elfmipsmirai
Infos:

Detection

Mirai
Score:84
Range:0 - 100
Whitelisted:false

Signatures

Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Mirai
Sample is packed with UPX
Sample contains only a LOAD segment without any section mappings
Yara signature match
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Detected TCP or UDP traffic on non-standard ports
Executes the "rm" command used to delete files or directories
Sample listens on a socket
Sample tries to kill a process (SIGKILL)

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures
Static ELF header machine description suggests that the sample might not execute correctly on this machine

General Information

Joe Sandbox Version:34.0.0 Boulder Opal
Analysis ID:537271
Start date:09.12.2021
Start time:17:04:18
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 25s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:SedZv73LJb
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Detection:MAL
Classification:mal84.troj.evad.lin@0/2@0/0
Warnings:
Show All
  • Report size exceeded maximum capacity and may have missing network information.
  • TCP Packets have been reduced to 100
  • VT rate limit hit for: SedZv73LJb

Process Tree

  • system is lnxubuntu20
  • SedZv73LJb (PID: 5216, Parent: 5108, MD5: 0d6f61f82cf2f781c6eb0661071d42d9) Arguments: /tmp/SedZv73LJb
  • systemd New Fork (PID: 5249, Parent: 1)
  • sshd (PID: 5249, Parent: 1, MD5: dbca7a6bbf7bf57fedac243d4b2cb340) Arguments: /usr/sbin/sshd -t
  • systemd New Fork (PID: 5250, Parent: 1)
  • sshd (PID: 5250, Parent: 1, MD5: dbca7a6bbf7bf57fedac243d4b2cb340) Arguments: /usr/sbin/sshd -D
  • dash New Fork (PID: 5258, Parent: 4331)
  • rm (PID: 5258, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.FfRdbVixpI /tmp/tmp.30Eql1npMD /tmp/tmp.8ub6rio7wF
  • cleanup

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
SedZv73LJbSUSP_ELF_LNX_UPX_Compressed_FileDetects a suspicious ELF binary with UPX compressionFlorian Roth
  • 0x7428:$s1: PROT_EXEC|PROT_WRITE failed.
  • 0x7497:$s2: $Id: UPX
  • 0x7448:$s3: $Info: This file is packed with the UPX executable packer

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Mirai_12Yara detected MiraiJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    5218.1.0000000047c7bfd3.0000000051fda745.rw-.sdmpSUSP_XORed_MozillaDetects suspicious XORed keyword - Mozilla/5.0Florian Roth
    • 0x1414:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x1488:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x14fc:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x1570:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x15e4:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x1864:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x18bc:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x1914:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x196c:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x19c4:$xo1: oMXKNNC\x0D\x17\x0C\x12
    5226.1.0000000047c7bfd3.0000000051fda745.rw-.sdmpSUSP_XORed_MozillaDetects suspicious XORed keyword - Mozilla/5.0Florian Roth
    • 0x1414:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x1488:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x14fc:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x1570:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x15e4:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x1864:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x18bc:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x1914:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x196c:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x19c4:$xo1: oMXKNNC\x0D\x17\x0C\x12
    5216.1.0000000047c7bfd3.0000000051fda745.rw-.sdmpSUSP_XORed_MozillaDetects suspicious XORed keyword - Mozilla/5.0Florian Roth
    • 0x1414:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x1488:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x14fc:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x1570:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x15e4:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x1864:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x18bc:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x1914:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x196c:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x19c4:$xo1: oMXKNNC\x0D\x17\x0C\x12
    5220.1.0000000001011e93.00000000a387de8a.r-x.sdmpSUSP_XORed_MozillaDetects suspicious XORed keyword - Mozilla/5.0Florian Roth
    • 0x14860:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x148d0:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x14940:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x149b0:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x14a20:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x14c90:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x14ce4:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x14d38:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x14d8c:$xo1: oMXKNNC\x0D\x17\x0C\x12
    • 0x14de0:$xo1: oMXKNNC\x0D\x17\x0C\x12
    5220.1.0000000001011e93.00000000a387de8a.r-x.sdmpMirai_Botnet_MalwareDetects Mirai Botnet MalwareFlorian Roth
    • 0x14190:$x1: POST /cdn-cgi/
    • 0x146e0:$s1: LCOGQGPTGP
    Click to see the 19 entries

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    Networking:

    barindex
    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
    Source: TrafficSnort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:53452 -> 85.98.33.21:23
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 109.75.41.53:23 -> 192.168.2.23:57658
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 109.75.41.53:23 -> 192.168.2.23:57658
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 109.75.41.53:23 -> 192.168.2.23:57706
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 109.75.41.53:23 -> 192.168.2.23:57706
    Source: TrafficSnort IDS: 716 INFO TELNET access 218.158.20.113:23 -> 192.168.2.23:55176
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 109.75.41.53:23 -> 192.168.2.23:57714
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 109.75.41.53:23 -> 192.168.2.23:57714
    Source: TrafficSnort IDS: 716 INFO TELNET access 218.158.20.113:23 -> 192.168.2.23:55184
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 109.75.41.53:23 -> 192.168.2.23:57738
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 109.75.41.53:23 -> 192.168.2.23:57738
    Source: global trafficTCP traffic: 192.168.2.23:60182 -> 194.85.248.177:9506
    Source: /tmp/SedZv73LJb (PID: 5218)Socket: 0.0.0.0::23
    Source: /tmp/SedZv73LJb (PID: 5218)Socket: 0.0.0.0::0
    Source: /tmp/SedZv73LJb (PID: 5218)Socket: 0.0.0.0::80
    Source: /tmp/SedZv73LJb (PID: 5218)Socket: 0.0.0.0::81
    Source: /tmp/SedZv73LJb (PID: 5218)Socket: 0.0.0.0::8443
    Source: /tmp/SedZv73LJb (PID: 5218)Socket: 0.0.0.0::9009
    Source: /tmp/SedZv73LJb (PID: 5224)Socket: 0.0.0.0::0
    Source: /tmp/SedZv73LJb (PID: 5224)Socket: 0.0.0.0::80
    Source: /tmp/SedZv73LJb (PID: 5224)Socket: 0.0.0.0::81
    Source: /tmp/SedZv73LJb (PID: 5224)Socket: 0.0.0.0::8443
    Source: /tmp/SedZv73LJb (PID: 5224)Socket: 0.0.0.0::9009
    Source: /usr/sbin/sshd (PID: 5250)Socket: 0.0.0.0::22
    Source: /usr/sbin/sshd (PID: 5250)Socket: [::]::22
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 33608
    Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 33608 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
    Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.177
    Source: unknownTCP traffic detected without corresponding DNS query: 68.20.73.222
    Source: unknownTCP traffic detected without corresponding DNS query: 53.7.185.222
    Source: unknownTCP traffic detected without corresponding DNS query: 193.19.134.102
    Source: unknownTCP traffic detected without corresponding DNS query: 206.181.171.220
    Source: unknownTCP traffic detected without corresponding DNS query: 208.127.165.164
    Source: unknownTCP traffic detected without corresponding DNS query: 19.133.34.3
    Source: unknownTCP traffic detected without corresponding DNS query: 251.47.7.130
    Source: unknownTCP traffic detected without corresponding DNS query: 197.147.206.60
    Source: unknownTCP traffic detected without corresponding DNS query: 155.23.166.37
    Source: unknownTCP traffic detected without corresponding DNS query: 204.206.114.168
    Source: unknownTCP traffic detected without corresponding DNS query: 141.155.189.87
    Source: unknownTCP traffic detected without corresponding DNS query: 76.120.190.112
    Source: unknownTCP traffic detected without corresponding DNS query: 73.77.62.155
    Source: unknownTCP traffic detected without corresponding DNS query: 111.151.184.31
    Source: unknownTCP traffic detected without corresponding DNS query: 146.209.214.200
    Source: unknownTCP traffic detected without corresponding DNS query: 148.202.143.153
    Source: unknownTCP traffic detected without corresponding DNS query: 168.155.156.21
    Source: unknownTCP traffic detected without corresponding DNS query: 14.222.35.206
    Source: unknownTCP traffic detected without corresponding DNS query: 115.108.236.144
    Source: unknownTCP traffic detected without corresponding DNS query: 162.155.229.204
    Source: unknownTCP traffic detected without corresponding DNS query: 19.70.204.185
    Source: unknownTCP traffic detected without corresponding DNS query: 157.38.15.98
    Source: unknownTCP traffic detected without corresponding DNS query: 109.86.34.71
    Source: unknownTCP traffic detected without corresponding DNS query: 217.180.72.165
    Source: unknownTCP traffic detected without corresponding DNS query: 177.27.67.169
    Source: unknownTCP traffic detected without corresponding DNS query: 166.28.49.108
    Source: unknownTCP traffic detected without corresponding DNS query: 174.37.25.112
    Source: unknownTCP traffic detected without corresponding DNS query: 155.112.238.0
    Source: unknownTCP traffic detected without corresponding DNS query: 38.198.113.148
    Source: unknownTCP traffic detected without corresponding DNS query: 86.184.2.247
    Source: unknownTCP traffic detected without corresponding DNS query: 82.74.127.37
    Source: unknownTCP traffic detected without corresponding DNS query: 106.95.82.87
    Source: unknownTCP traffic detected without corresponding DNS query: 82.159.78.152
    Source: unknownTCP traffic detected without corresponding DNS query: 48.25.188.163
    Source: unknownTCP traffic detected without corresponding DNS query: 194.78.224.129
    Source: unknownTCP traffic detected without corresponding DNS query: 145.11.7.98
    Source: unknownTCP traffic detected without corresponding DNS query: 36.164.103.147
    Source: unknownTCP traffic detected without corresponding DNS query: 18.160.42.126
    Source: unknownTCP traffic detected without corresponding DNS query: 75.134.118.42
    Source: unknownTCP traffic detected without corresponding DNS query: 80.68.229.38
    Source: unknownTCP traffic detected without corresponding DNS query: 207.85.65.225
    Source: unknownTCP traffic detected without corresponding DNS query: 184.84.252.243
    Source: unknownTCP traffic detected without corresponding DNS query: 70.224.215.167
    Source: unknownTCP traffic detected without corresponding DNS query: 48.22.47.40
    Source: unknownTCP traffic detected without corresponding DNS query: 75.91.72.202
    Source: unknownTCP traffic detected without corresponding DNS query: 95.197.174.237
    Source: unknownTCP traffic detected without corresponding DNS query: 12.60.239.205
    Source: unknownTCP traffic detected without corresponding DNS query: 119.160.44.82
    Source: unknownTCP traffic detected without corresponding DNS query: 146.254.139.189
    Source: SedZv73LJbString found in binary or memory: http://upx.sf.net

    System Summary:

    barindex
    Malicious sample detected (through community Yara rule)Show sources
    Source: 5220.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORYMatched rule: Detects Mirai Botnet Malware Author: Florian Roth
    Source: 5220.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORYMatched rule: Detects ELF malware Mirai related Author: Florian Roth
    Source: 5226.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORYMatched rule: Detects Mirai Botnet Malware Author: Florian Roth
    Source: 5226.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORYMatched rule: Detects ELF malware Mirai related Author: Florian Roth
    Source: 5216.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORYMatched rule: Detects Mirai Botnet Malware Author: Florian Roth
    Source: 5216.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORYMatched rule: Detects ELF malware Mirai related Author: Florian Roth
    Source: 5218.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORYMatched rule: Detects Mirai Botnet Malware Author: Florian Roth
    Source: 5218.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORYMatched rule: Detects ELF malware Mirai related Author: Florian Roth
    Source: LOAD without section mappingsProgram segment: 0x100000
    Source: SedZv73LJb, type: SAMPLEMatched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4
    Source: 5218.1.0000000047c7bfd3.0000000051fda745.rw-.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
    Source: 5226.1.0000000047c7bfd3.0000000051fda745.rw-.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
    Source: 5216.1.0000000047c7bfd3.0000000051fda745.rw-.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
    Source: 5220.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
    Source: 5220.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORYMatched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
    Source: 5220.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORYMatched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
    Source: 5226.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
    Source: 5226.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORYMatched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
    Source: 5226.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORYMatched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
    Source: 5216.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
    Source: 5216.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORYMatched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
    Source: 5216.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORYMatched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
    Source: 5220.1.0000000047c7bfd3.0000000051fda745.rw-.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
    Source: 5218.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
    Source: 5218.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORYMatched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
    Source: 5218.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORYMatched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
    Source: /tmp/SedZv73LJb (PID: 5218)SIGKILL sent: pid: 936, result: successful
    Source: /tmp/SedZv73LJb (PID: 5224)SIGKILL sent: pid: 5218, result: successful
    Source: /tmp/SedZv73LJb (PID: 5224)SIGKILL sent: pid: 759, result: successful
    Source: classification engineClassification label: mal84.troj.evad.lin@0/2@0/0

    Data Obfuscation:

    barindex
    Sample is packed with UPXShow sources
    Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
    Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
    Source: initial sampleString containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/4450/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/4450/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/4331/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/4331/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/2033/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/2033/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/2033/exe
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1582/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1582/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1582/exe
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/2275/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/2275/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1612/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1612/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1612/exe
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1579/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1579/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1579/exe
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1699/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1699/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1699/exe
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1335/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1335/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1335/exe
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1698/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1698/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1698/exe
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/2028/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/2028/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/2028/exe
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1334/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1334/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1334/exe
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1576/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1576/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1576/exe
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/2302/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/2302/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/3236/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/3236/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/2025/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/2025/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/2025/exe
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/2146/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/2146/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/910/exe
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/912/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/912/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/912/exe
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/759/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/759/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/759/exe
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/517/exe
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/2307/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/2307/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/918/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/918/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/918/exe
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/5030/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/5030/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1594/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1594/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1594/exe
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/2285/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/2285/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/2281/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/2281/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1349/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1349/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1349/exe
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1623/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1623/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1623/exe
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/761/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/761/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/761/exe
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1622/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1622/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1622/exe
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/884/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/884/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/884/exe
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1983/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1983/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1983/exe
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/2038/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/2038/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/2038/exe
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1586/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1586/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1586/exe
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1465/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1465/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1465/exe
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1344/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1344/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1344/exe
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1860/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1860/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1860/exe
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1463/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1463/fd
    Source: /tmp/SedZv73LJb (PID: 5224)File opened: /proc/1463/exe
    Source: /usr/bin/dash (PID: 5258)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.FfRdbVixpI /tmp/tmp.30Eql1npMD /tmp/tmp.8ub6rio7wF
    Source: /tmp/SedZv73LJb (PID: 5216)Queries kernel information via 'uname':
    Source: SedZv73LJb, 5216.1.00000000bdff67fb.000000002920bcd6.rw-.sdmp, SedZv73LJb, 5218.1.00000000bdff67fb.000000002920bcd6.rw-.sdmp, SedZv73LJb, 5220.1.00000000bdff67fb.000000002920bcd6.rw-.sdmp, SedZv73LJb, 5226.1.00000000bdff67fb.000000002920bcd6.rw-.sdmpBinary or memory string: Mx86_64/usr/bin/qemu-mipsel/tmp/SedZv73LJbSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/SedZv73LJb
    Source: SedZv73LJb, 5216.1.00000000da7b14a4.00000000e5bbc230.rw-.sdmp, SedZv73LJb, 5218.1.00000000da7b14a4.00000000e5bbc230.rw-.sdmp, SedZv73LJb, 5220.1.00000000da7b14a4.00000000e5bbc230.rw-.sdmp, SedZv73LJb, 5226.1.00000000da7b14a4.00000000e5bbc230.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mipsel
    Source: SedZv73LJb, 5216.1.00000000da7b14a4.00000000e5bbc230.rw-.sdmp, SedZv73LJb, 5218.1.00000000da7b14a4.00000000e5bbc230.rw-.sdmp, SedZv73LJb, 5220.1.00000000da7b14a4.00000000e5bbc230.rw-.sdmp, SedZv73LJb, 5226.1.00000000da7b14a4.00000000e5bbc230.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/mipsel
    Source: SedZv73LJb, 5216.1.00000000bdff67fb.000000002920bcd6.rw-.sdmp, SedZv73LJb, 5218.1.00000000bdff67fb.000000002920bcd6.rw-.sdmp, SedZv73LJb, 5220.1.00000000bdff67fb.000000002920bcd6.rw-.sdmp, SedZv73LJb, 5226.1.00000000bdff67fb.000000002920bcd6.rw-.sdmpBinary or memory string: /usr/bin/qemu-mipsel

    Stealing of Sensitive Information:

    barindex
    Yara detected MiraiShow sources
    Source: Yara matchFile source: 5220.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY
    Source: Yara matchFile source: 5226.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY
    Source: Yara matchFile source: 5216.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY
    Source: Yara matchFile source: 5218.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY
    Source: Yara matchFile source: dump.pcap, type: PCAP

    Remote Access Functionality:

    barindex
    Yara detected MiraiShow sources
    Source: Yara matchFile source: 5220.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY
    Source: Yara matchFile source: 5226.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY
    Source: Yara matchFile source: 5216.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY
    Source: Yara matchFile source: 5218.1.0000000001011e93.00000000a387de8a.r-x.sdmp, type: MEMORY
    Source: Yara matchFile source: dump.pcap, type: PCAP

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionObfuscated Files or Information1OS Credential Dumping1Security Software Discovery11Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsFile Deletion1LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

    Malware Configuration

    No configs have been found

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Number of created Files
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 537271 Sample: SedZv73LJb Startdate: 09/12/2021 Architecture: LINUX Score: 84 28 93.78.94.228, 23 VOLIA-ASUA Ukraine 2->28 30 37.222.28.119, 23 VODAFONE_ESES Spain 2->30 32 98 other IPs or domains 2->32 34 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 Yara detected Mirai 2->38 40 Sample is packed with UPX 2->40 8 SedZv73LJb 2->8         started        10 systemd sshd 2->10         started        12 systemd sshd 2->12         started        14 dash rm 2->14         started        signatures3 process4 process5 16 SedZv73LJb 8->16         started        18 SedZv73LJb 8->18         started        20 SedZv73LJb 8->20         started        process6 22 SedZv73LJb 16->22         started        24 SedZv73LJb 16->24         started        26 SedZv73LJb 16->26         started       

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    No Antivirus matches

    Dropped Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://upx.sf.netSedZv73LJbfalse
      high

      Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public

      IPDomainCountryFlagASNASN NameMalicious
      117.19.19.122
      unknownTaiwan; Republic of China (ROC)
      38197SUNHK-DATA-AS-APSunNetworkHongKongLimited-HongKongfalse
      210.103.188.12
      unknownKorea Republic of
      9848SEJONGTELECOM-AS-KRSejongTelecomKRfalse
      200.158.224.63
      unknownBrazil
      27699TELEFONICABRASILSABRfalse
      121.146.235.107
      unknownKorea Republic of
      4766KIXS-AS-KRKoreaTelecomKRfalse
      183.163.75.205
      unknownChina
      4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
      118.250.121.154
      unknownChina
      4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
      103.40.78.108
      unknownBangladesh
      17941BIT-ISLEEquinixJpapanEnterpriseKKJPfalse
      179.141.53.34
      unknownBrazil
      53037NEXTELTELECOMUNICACOESLTDABRfalse
      172.60.217.202
      unknownUnited States
      21928T-MOBILE-AS21928USfalse
      12.245.37.164
      unknownUnited States
      7018ATT-INTERNET4USfalse
      193.149.169.50
      unknownDenmark
      15411DANISCODKfalse
      188.177.15.44
      unknownDenmark
      3292TDCTDCASDKfalse
      2.240.29.75
      unknownGermany
      6805TDDE-ASN1DEfalse
      81.24.111.186
      unknownNetherlands
      12414NL-SOLCONSOLCONNLfalse
      31.113.67.161
      unknownUnited Kingdom
      12576EELtdGBfalse
      20.138.253.204
      unknownUnited States
      22562CSC-IGN-EMEAUSfalse
      188.247.215.88
      unknownKazakhstan
      21299KAR-TEL-ASAlmatyRepublicofKazakhstanKZfalse
      98.83.39.2
      unknownUnited States
      11351TWC-11351-NORTHEASTUSfalse
      211.61.228.167
      unknownKorea Republic of
      9457DREAMX-ASDREAMLINECOKRfalse
      115.194.167.85
      unknownChina
      4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
      244.65.58.1
      unknownReserved
      unknownunknownfalse
      124.123.173.97
      unknownIndia
      18209BEAMTELE-AS-APAtriaConvergenceTechnologiespvtltdINfalse
      151.107.46.180
      unknownUnited States
      29066VELIANET-ASvelianetInternetdiensteGmbHDEfalse
      135.195.71.230
      unknownUnited States
      14962NCR-252USfalse
      27.115.204.179
      unknownKorea Republic of
      17871DIGITALBUSANDONGNAM-AS-KRTBroadKRfalse
      77.100.21.151
      unknownUnited Kingdom
      5089NTLGBfalse
      79.25.116.8
      unknownItaly
      3269ASN-IBSNAZITfalse
      39.195.134.246
      unknownIndonesia
      23693TELKOMSEL-ASN-IDPTTelekomunikasiSelularIDfalse
      111.199.252.113
      unknownChina
      4808CHINA169-BJChinaUnicomBeijingProvinceNetworkCNfalse
      218.236.172.7
      unknownKorea Republic of
      9318SKB-ASSKBroadbandCoLtdKRfalse
      176.41.20.117
      unknownTurkey
      34984TELLCOM-ASTRfalse
      140.238.74.31
      unknownUnited States
      31898ORACLE-BMC-31898USfalse
      202.72.89.24
      unknownChina
      4721JCNJupiterTelecommunicationsCoLtdJPfalse
      41.23.225.130
      unknownSouth Africa
      29975VODACOM-ZAfalse
      108.219.61.37
      unknownUnited States
      7018ATT-INTERNET4USfalse
      24.180.92.208
      unknownUnited States
      20115CHARTER-20115USfalse
      58.171.235.85
      unknownAustralia
      1221ASN-TELSTRATelstraCorporationLtdAUfalse
      149.216.250.38
      unknownGermany
      12422EVONIK-ASRellinghauserStr1-11DEfalse
      196.17.156.92
      unknownSeychelles
      56611REBACOM-ASNLfalse
      40.75.37.239
      unknownUnited States
      8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
      163.181.241.19
      unknownUnited States
      24429TAOBAOZhejiangTaobaoNetworkCoLtdCNfalse
      185.221.109.100
      unknownPoland
      200534MSERWIS-ASPLfalse
      163.108.158.167
      unknownFrance
      3215FranceTelecom-OrangeFRfalse
      149.154.90.25
      unknownItaly
      57144ICCREA-ASITfalse
      75.116.189.96
      unknownUnited States
      6167CELLCO-PARTUSfalse
      121.174.214.230
      unknownKorea Republic of
      4766KIXS-AS-KRKoreaTelecomKRfalse
      113.218.192.79
      unknownChina
      4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
      37.222.28.119
      unknownSpain
      12430VODAFONE_ESESfalse
      170.171.210.202
      unknownUnited States
      11790RANDOMHOUSEUSfalse
      48.207.191.193
      unknownUnited States
      2686ATGS-MMD-ASUSfalse
      67.203.209.166
      unknownPuerto Rico
      11992CENTENNIAL-PRfalse
      194.66.187.63
      unknownUnited Kingdom
      786JANETJiscServicesLimitedGBfalse
      207.104.42.36
      unknownUnited States
      7018ATT-INTERNET4USfalse
      68.97.145.241
      unknownUnited States
      22773ASN-CXA-ALL-CCI-22773-RDCUSfalse
      216.115.166.77
      unknownUnited States
      11676AS11676USfalse
      86.136.144.174
      unknownUnited Kingdom
      2856BT-UK-ASBTnetUKRegionalnetworkGBfalse
      247.112.5.133
      unknownReserved
      unknownunknownfalse
      198.198.68.40
      unknownUnited States
      292ESNET-WESTUSfalse
      154.7.186.78
      unknownUnited States
      174COGENT-174USfalse
      142.70.203.200
      unknownCanada
      855CANET-ASN-4CAfalse
      146.152.201.30
      unknownUnited States
      197938TRAVIANGAMESDEfalse
      248.255.162.154
      unknownReserved
      unknownunknownfalse
      170.47.41.0
      unknownUnited States
      22178PA-SENATEUSfalse
      124.205.52.227
      unknownChina
      4808CHINA169-BJChinaUnicomBeijingProvinceNetworkCNfalse
      179.187.5.184
      unknownBrazil
      18881TELEFONICABRASILSABRfalse
      223.175.213.136
      unknownKorea Republic of
      17853LGTELECOM-AS-KRLGTELECOMKRfalse
      75.102.196.108
      unknownUnited States
      20130DEPAULUSfalse
      90.104.27.138
      unknownFrance
      3215FranceTelecom-OrangeFRfalse
      44.117.91.202
      unknownUnited States
      7377UCSDUSfalse
      247.169.112.139
      unknownReserved
      unknownunknownfalse
      45.106.164.142
      unknownEgypt
      37069MOBINILEGfalse
      95.223.227.166
      unknownGermany
      6830LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHoldingfalse
      113.86.238.36
      unknownChina
      4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
      162.96.112.109
      unknownUnited States
      33274ASN-FAIRVIEWHEALTHSERVICESUSfalse
      253.127.107.222
      unknownReserved
      unknownunknownfalse
      38.211.197.148
      unknownUnited States
      174COGENT-174USfalse
      79.253.233.152
      unknownGermany
      3320DTAGInternetserviceprovideroperationsDEfalse
      136.168.31.201
      unknownUnited States
      2152CSUNET-NWUSfalse
      207.27.241.90
      unknownUnited States
      701UUNETUSfalse
      166.175.198.250
      unknownUnited States
      20057ATT-MOBILITY-LLC-AS20057USfalse
      14.93.4.20
      unknownKorea Republic of
      4766KIXS-AS-KRKoreaTelecomKRfalse
      186.222.49.245
      unknownBrazil
      28573CLAROSABRfalse
      173.94.47.24
      unknownUnited States
      11426TWC-11426-CAROLINASUSfalse
      96.64.115.226
      unknownUnited States
      7922COMCAST-7922USfalse
      24.251.247.192
      unknownUnited States
      22773ASN-CXA-ALL-CCI-22773-RDCUSfalse
      126.218.65.187
      unknownJapan17676GIGAINFRASoftbankBBCorpJPfalse
      8.33.44.166
      unknownUnited States
      46802ASN-BACKCOUNTRYUSfalse
      124.50.41.36
      unknownKorea Republic of
      17858POWERVIS-AS-KRLGPOWERCOMMKRfalse
      93.78.94.228
      unknownUkraine
      25229VOLIA-ASUAfalse
      175.67.185.235
      unknownChina
      9394CTTNETChinaTieTongTelecommunicationsCorporationCNfalse
      146.1.46.239
      unknownUnited States
      3378MCI-ASNUSfalse
      164.13.138.176
      unknownFinland
      50195UMSIfalse
      141.37.182.63
      unknownGermany
      553BELWUEBelWue-KoordinationEUfalse
      95.118.195.78
      unknownGermany
      6805TDDE-ASN1DEfalse
      32.212.182.171
      unknownUnited States
      46690SNET-FCCUSfalse
      108.172.58.141
      unknownCanada
      852ASN852CAfalse
      79.83.58.68
      unknownFrance
      15557LDCOMNETFRfalse
      182.230.86.39
      unknownKorea Republic of
      17858POWERVIS-AS-KRLGPOWERCOMMKRfalse
      142.23.150.35
      unknownCanada
      3633PROVINCE-OF-BRITISH-COLUMBIACAfalse
      167.177.246.95
      unknownUnited States
      7800ALLINA-HEALTH-SYSTEM-INCUSfalse


      Runtime Messages

      Command:/tmp/SedZv73LJb
      Exit Code:0
      Exit Code Info:
      Killed:False
      Standard Output:
      lzrd cock fest'/proc/'/exe
      Standard Error:

      Joe Sandbox View / Context

      IPs

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      41.23.225.130ULM7uOGq51Get hashmaliciousBrowse

        Domains

        No context

        ASN

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        SEJONGTELECOM-AS-KRSejongTelecomKRpmXK4A8neDGet hashmaliciousBrowse
        • 203.227.200.14
        kwari.arm7Get hashmaliciousBrowse
        • 203.227.200.14
        E16TvLJm2wGet hashmaliciousBrowse
        • 203.239.73.131
        kDLGx7ivMzGet hashmaliciousBrowse
        • 211.239.98.151
        biKMh38rahGet hashmaliciousBrowse
        • 203.231.132.129
        Ntb86B1N1XGet hashmaliciousBrowse
        • 210.122.43.183
        MA4UA3e5xeGet hashmaliciousBrowse
        • 61.109.204.203
        mips-20211126-2221Get hashmaliciousBrowse
        • 211.116.207.254
        KEn71AQ430Get hashmaliciousBrowse
        • 203.231.219.228
        y8CYO3E0MFGet hashmaliciousBrowse
        • 203.227.200.26
        mLh9jwpikqGet hashmaliciousBrowse
        • 203.227.17.76
        4i9Yl7vp8BGet hashmaliciousBrowse
        • 203.239.37.45
        sora.armGet hashmaliciousBrowse
        • 61.250.64.14
        9B6EN8PxhHGet hashmaliciousBrowse
        • 203.227.200.15
        dark.x86Get hashmaliciousBrowse
        • 203.231.219.232
        sora.x86Get hashmaliciousBrowse
        • 210.127.68.251
        mipselGet hashmaliciousBrowse
        • 203.239.13.14
        ENYxttDmO1Get hashmaliciousBrowse
        • 203.231.219.204
        JjHQ8Q1weTGet hashmaliciousBrowse
        • 211.239.243.5
        Xb1sM3W7BKGet hashmaliciousBrowse
        • 211.239.173.129
        SUNHK-DATA-AS-APSunNetworkHongKongLimited-HongKongRA8SVd00EWGet hashmaliciousBrowse
        • 117.18.11.132
        NNoG9EuSVVGet hashmaliciousBrowse
        • 117.19.113.73
        x86Get hashmaliciousBrowse
        • 112.213.114.238
        sora.arm7Get hashmaliciousBrowse
        • 115.42.62.116
        sora.x86Get hashmaliciousBrowse
        • 117.18.11.188
        http___103.170.255.140_pdfword_invc_000930003999000.wbkGet hashmaliciousBrowse
        • 210.56.63.51
        7758Get hashmaliciousBrowse
        • 103.45.66.145
        hIejwF53ztGet hashmaliciousBrowse
        • 112.213.114.222
        Tx60OCR2cNGet hashmaliciousBrowse
        • 202.89.8.5
        Tsunami.armGet hashmaliciousBrowse
        • 112.213.114.232
        #Uac80#Ucc30#Uccad.apkGet hashmaliciousBrowse
        • 43.243.111.75
        Swift copy.exeGet hashmaliciousBrowse
        • 103.231.31.77
        qKjg35J4FGGet hashmaliciousBrowse
        • 121.127.227.4
        vdQzjfJR0uGet hashmaliciousBrowse
        • 115.42.62.108
        arm7Get hashmaliciousBrowse
        • 117.18.11.169
        3DAMhv0DFIGet hashmaliciousBrowse
        • 115.42.62.139
        46gV91KJhQGet hashmaliciousBrowse
        • 117.18.11.132
        wk.exeGet hashmaliciousBrowse
        • 112.213.121.145
        mA7WUZVyyPGet hashmaliciousBrowse
        • 112.213.114.251
        OswYbjULpg.exeGet hashmaliciousBrowse
        • 112.213.109.186

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        /proc/5250/oom_score_adj
        Process:/usr/sbin/sshd
        File Type:ASCII text
        Category:dropped
        Size (bytes):6
        Entropy (8bit):1.7924812503605778
        Encrypted:false
        SSDEEP:3:ptn:Dn
        MD5:CBF282CC55ED0792C33D10003D1F760A
        SHA1:007DD8BD75468E6B7ABA4285E9B267202C7EAEED
        SHA-256:FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
        SHA-512:4643A8675D213C7DA35CC0C2BFB3B6F20324F9C48AEA7BA79F470615698C9A0CEFDA45CAA1957FC29110EE746BC8458AB8AB1E43EB513912A5E1E8858812CC00
        Malicious:false
        Reputation:high, very likely benign file
        Preview: -1000.
        /run/sshd.pid
        Process:/usr/sbin/sshd
        File Type:ASCII text
        Category:dropped
        Size (bytes):5
        Entropy (8bit):1.9219280948873623
        Encrypted:false
        SSDEEP:3:CAv:CK
        MD5:251228B89D027A84AC9239BB479F7FD1
        SHA1:CF25590A562FE1FA7E766ADEC3DD6581D12A9398
        SHA-256:784FD8846009847E8493CED7F73AB7AD790719F4E036C26C9F7EA83A5C1C6AE1
        SHA-512:8F5BF028A28757B7EBC33786D695ADA2FF547FCC226A3804BD9B20B41052607867EC9486DDC2498FA15C34EE8C5F4E405D46D5F43FCB291F9DA34B9991BE8E2E
        Malicious:false
        Reputation:low
        Preview: 5250.

        Static File Info

        General

        File type:ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
        Entropy (8bit):7.907735920089907
        TrID:
        • ELF Executable and Linkable format (generic) (4004/1) 100.00%
        File name:SedZv73LJb
        File size:31960
        MD5:bdc02fe5c4e820cc750d4b5b7280f2cd
        SHA1:d49ff96bbfbd990ffdb4727a809b97eb05bf1c2a
        SHA256:a06645dcacd00b2ffa5db96729241c355e012fa87a2ef16d595a4bac7a7dcd10
        SHA512:5761b1230316be14335fb19f0d441377a16b28e4a809d77e9cd08da48d99c3e4ad14cd135cac186094c20cb245faa8d41d950540941e0686b70bb68cd39990bb
        SSDEEP:384:X3fpCLrsjHIX69URc+hmnulY1qHprFKt6zhS45vDajssVwfyhBTla39RWGVCz0Ng:nfpWcehzJFYKgULAssKfyhB5a3LWt
        File Content Preview:.ELF....................xh..4...........4. ...(......................{...{...............[...[E..[E....................4UPX!`........Y...Y......U..........?.E.h;....#......b.L.1*)....Nw3.42..J.dn....>7.G._=...F.....*b..3_..v~..4NBA9*.i&..Q..@e............

        Static ELF Info

        ELF header

        Class:ELF32
        Data:2's complement, little endian
        Version:1 (current)
        Machine:MIPS R3000
        Version Number:0x1
        Type:EXEC (Executable file)
        OS/ABI:UNIX - System V
        ABI Version:0
        Entry Point Address:0x106878
        Flags:0x1007
        ELF Header Size:52
        Program Header Offset:52
        Program Header Size:32
        Number of Program Headers:2
        Section Header Offset:0
        Section Header Size:40
        Number of Section Headers:0
        Header String Table Index:0

        Program Segments

        TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
        LOAD0x00x1000000x1000000x7bb50x7bb54.15790x5R E0x10000
        LOAD0x5bd80x455bd80x455bd80x00x00.00000x6RW 0x10000

        Network Behavior

        Network Port Distribution

        TCP Packets

        TimestampSource PortDest PortSource IPDest IP
        Dec 9, 2021 17:05:03.453282118 CET601829506192.168.2.23194.85.248.177
        Dec 9, 2021 17:05:03.474419117 CET6190023192.168.2.2368.20.73.222
        Dec 9, 2021 17:05:03.474497080 CET6190023192.168.2.2353.7.185.222
        Dec 9, 2021 17:05:03.474548101 CET6190023192.168.2.23193.19.134.102
        Dec 9, 2021 17:05:03.474591970 CET6190023192.168.2.23206.181.171.220
        Dec 9, 2021 17:05:03.474625111 CET6190023192.168.2.23208.127.165.164
        Dec 9, 2021 17:05:03.474627018 CET6190023192.168.2.2319.133.34.3
        Dec 9, 2021 17:05:03.474809885 CET6190023192.168.2.23251.47.7.130
        Dec 9, 2021 17:05:03.474823952 CET6190023192.168.2.23197.147.206.60
        Dec 9, 2021 17:05:03.474823952 CET6190023192.168.2.23155.23.166.37
        Dec 9, 2021 17:05:03.474827051 CET6190023192.168.2.23204.206.114.168
        Dec 9, 2021 17:05:03.474832058 CET6190023192.168.2.23141.155.189.87
        Dec 9, 2021 17:05:03.474836111 CET6190023192.168.2.2376.120.190.112
        Dec 9, 2021 17:05:03.474839926 CET6190023192.168.2.2373.77.62.155
        Dec 9, 2021 17:05:03.474862099 CET6190023192.168.2.23111.151.184.31
        Dec 9, 2021 17:05:03.474984884 CET6190023192.168.2.23146.209.214.200
        Dec 9, 2021 17:05:03.475032091 CET6190023192.168.2.23148.202.143.153
        Dec 9, 2021 17:05:03.475089073 CET6190023192.168.2.23168.155.156.21
        Dec 9, 2021 17:05:03.475095034 CET6190023192.168.2.2314.222.35.206
        Dec 9, 2021 17:05:03.475100994 CET6190023192.168.2.23115.108.236.144
        Dec 9, 2021 17:05:03.475234985 CET6190023192.168.2.23162.155.229.204
        Dec 9, 2021 17:05:03.475248098 CET6190023192.168.2.2319.70.204.185
        Dec 9, 2021 17:05:03.475323915 CET6190023192.168.2.23157.38.15.98
        Dec 9, 2021 17:05:03.475336075 CET6190023192.168.2.23109.86.34.71
        Dec 9, 2021 17:05:03.475344896 CET6190023192.168.2.23217.180.72.165
        Dec 9, 2021 17:05:03.475351095 CET6190023192.168.2.23177.27.67.169
        Dec 9, 2021 17:05:03.475359917 CET6190023192.168.2.23166.28.49.108
        Dec 9, 2021 17:05:03.475425959 CET6190023192.168.2.23174.37.25.112
        Dec 9, 2021 17:05:03.475447893 CET6190023192.168.2.23155.112.238.0
        Dec 9, 2021 17:05:03.475460052 CET6190023192.168.2.2338.198.113.148
        Dec 9, 2021 17:05:03.475517988 CET6190023192.168.2.2386.184.2.247
        Dec 9, 2021 17:05:03.475538015 CET6190023192.168.2.2382.74.127.37
        Dec 9, 2021 17:05:03.475557089 CET6190023192.168.2.23106.95.82.87
        Dec 9, 2021 17:05:03.475559950 CET6190023192.168.2.2382.159.78.152
        Dec 9, 2021 17:05:03.475574970 CET6190023192.168.2.2348.25.188.163
        Dec 9, 2021 17:05:03.475580931 CET6190023192.168.2.23194.78.224.129
        Dec 9, 2021 17:05:03.475584030 CET6190023192.168.2.23145.11.7.98
        Dec 9, 2021 17:05:03.475615025 CET6190023192.168.2.2336.164.103.147
        Dec 9, 2021 17:05:03.475626945 CET6190023192.168.2.2318.160.42.126
        Dec 9, 2021 17:05:03.475630999 CET6190023192.168.2.2375.134.118.42
        Dec 9, 2021 17:05:03.475667000 CET6190023192.168.2.2380.68.229.38
        Dec 9, 2021 17:05:03.475759983 CET6190023192.168.2.23207.85.65.225
        Dec 9, 2021 17:05:03.475832939 CET6190023192.168.2.23184.84.252.243
        Dec 9, 2021 17:05:03.475860119 CET6190023192.168.2.2370.224.215.167
        Dec 9, 2021 17:05:03.475861073 CET6190023192.168.2.2348.22.47.40
        Dec 9, 2021 17:05:03.475882053 CET6190023192.168.2.2398.120.110.186
        Dec 9, 2021 17:05:03.475892067 CET6190023192.168.2.2375.91.72.202
        Dec 9, 2021 17:05:03.475903988 CET6190023192.168.2.2395.197.174.237
        Dec 9, 2021 17:05:03.475935936 CET6190023192.168.2.2312.60.239.205
        Dec 9, 2021 17:05:03.475949049 CET6190023192.168.2.23119.160.44.82
        Dec 9, 2021 17:05:03.475965977 CET6190023192.168.2.23146.254.139.189
        Dec 9, 2021 17:05:03.475967884 CET6190023192.168.2.23123.127.184.52
        Dec 9, 2021 17:05:03.476001024 CET6190023192.168.2.23253.12.107.167
        Dec 9, 2021 17:05:03.476001978 CET6190023192.168.2.23175.107.71.115
        Dec 9, 2021 17:05:03.476013899 CET6190023192.168.2.23254.128.20.89
        Dec 9, 2021 17:05:03.476031065 CET6190023192.168.2.23165.140.75.35
        Dec 9, 2021 17:05:03.476046085 CET6190023192.168.2.2384.72.180.57
        Dec 9, 2021 17:05:03.476129055 CET6190023192.168.2.23104.227.197.121
        Dec 9, 2021 17:05:03.476147890 CET6190023192.168.2.2376.231.166.19
        Dec 9, 2021 17:05:03.476172924 CET6190023192.168.2.2334.230.82.224
        Dec 9, 2021 17:05:03.476222038 CET6190023192.168.2.2375.203.177.19
        Dec 9, 2021 17:05:03.476222992 CET6190023192.168.2.23181.239.193.226
        Dec 9, 2021 17:05:03.476226091 CET6190023192.168.2.2383.113.217.49
        Dec 9, 2021 17:05:03.476238012 CET6190023192.168.2.23250.21.80.47
        Dec 9, 2021 17:05:03.476239920 CET6190023192.168.2.2370.99.78.77
        Dec 9, 2021 17:05:03.476248980 CET6190023192.168.2.2312.161.56.31
        Dec 9, 2021 17:05:03.476301908 CET6190023192.168.2.23194.65.80.250
        Dec 9, 2021 17:05:03.476304054 CET6190023192.168.2.23178.143.46.119
        Dec 9, 2021 17:05:03.476308107 CET6190023192.168.2.2362.153.212.89
        Dec 9, 2021 17:05:03.476349115 CET6190023192.168.2.2365.105.161.55
        Dec 9, 2021 17:05:03.476367950 CET6190023192.168.2.2353.103.146.127
        Dec 9, 2021 17:05:03.476402998 CET6190023192.168.2.23126.163.18.254
        Dec 9, 2021 17:05:03.476430893 CET6190023192.168.2.23218.198.232.128
        Dec 9, 2021 17:05:03.476473093 CET6190023192.168.2.2395.117.146.46
        Dec 9, 2021 17:05:03.476473093 CET6190023192.168.2.2367.157.179.87
        Dec 9, 2021 17:05:03.476484060 CET6190023192.168.2.2396.105.189.125
        Dec 9, 2021 17:05:03.476485968 CET6190023192.168.2.2338.245.11.125
        Dec 9, 2021 17:05:03.476552010 CET6190023192.168.2.23136.252.148.32
        Dec 9, 2021 17:05:03.476593018 CET6190023192.168.2.23161.180.239.176
        Dec 9, 2021 17:05:03.476645947 CET6190023192.168.2.2389.103.85.58
        Dec 9, 2021 17:05:03.476677895 CET6190023192.168.2.2394.6.187.42
        Dec 9, 2021 17:05:03.476677895 CET6190023192.168.2.23212.156.95.3
        Dec 9, 2021 17:05:03.476682901 CET6190023192.168.2.23247.212.240.105
        Dec 9, 2021 17:05:03.476718903 CET6190023192.168.2.2335.112.44.23
        Dec 9, 2021 17:05:03.476763964 CET6190023192.168.2.2378.153.63.239
        Dec 9, 2021 17:05:03.476790905 CET6190023192.168.2.23159.119.77.232
        Dec 9, 2021 17:05:03.476794958 CET6190023192.168.2.2394.94.6.43
        Dec 9, 2021 17:05:03.476830006 CET6190023192.168.2.23213.141.52.1
        Dec 9, 2021 17:05:03.476844072 CET6190023192.168.2.23243.114.44.34
        Dec 9, 2021 17:05:03.476864100 CET6190023192.168.2.23124.208.78.65
        Dec 9, 2021 17:05:03.476871967 CET6190023192.168.2.23184.202.60.50
        Dec 9, 2021 17:05:03.476903915 CET6190023192.168.2.2323.123.135.31
        Dec 9, 2021 17:05:03.476933956 CET6190023192.168.2.23178.52.102.140
        Dec 9, 2021 17:05:03.476939917 CET6190023192.168.2.23208.142.50.179
        Dec 9, 2021 17:05:03.476972103 CET6190023192.168.2.2391.60.121.83
        Dec 9, 2021 17:05:03.476988077 CET6190023192.168.2.23242.75.139.171
        Dec 9, 2021 17:05:03.476989031 CET6190023192.168.2.23114.51.109.229
        Dec 9, 2021 17:05:03.477032900 CET6190023192.168.2.23249.176.251.73
        Dec 9, 2021 17:05:03.477046967 CET6190023192.168.2.2338.4.240.90
        Dec 9, 2021 17:05:03.477078915 CET6190023192.168.2.23120.231.141.182

        System Behavior