Play interactive tour

Edit tour

Linux Analysis Report phantom.arm7

Overview

General Information

Sample Name:	phantom.arm7
Analysis ID:	553476
MD5:	694e279c1a0cbc31db51aa3f1ee49b3e
SHA1:	d4fd45382263f89824d73cc136f8dcd21bab20a0
SHA256:	a75929884ae4782e41a878045f161f6cb2aaac641481db6060dde22bdc412761
Tags:	Mirai
Infos:

Detection

Mirai

Score:	72
Range:	0 - 100
Whitelisted:	false

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Mirai

Multi AV Scanner detection for submitted file

Sample is packed with UPX

Uses known network protocols on non-standard ports

Sample contains only a LOAD segment without any section mappings

Yara signature match

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Executes the "systemctl" command used for controlling the systemd system and service manager

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Deletes log files

Executes commands using a shell command-line interpreter

Executes the "rm" command used to delete files or directories

Classification

Analysis Advice

All HTTP servers contacted by the sample do not answer. Likely the sample is an old dropper which does no longer work

Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures

Static ELF header machine description suggests that the sample might not execute correctly on this machine

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	553476
Start date:	15.01.2022
Start time:	00:29:36
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 47s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	phantom.arm7
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal72.troj.evad.linARM7@0/4@0/0
Warnings:	Show All Report size exceeded maximum capacity and may have missing network information. TCP Packets have been reduced to 100

Process Tree

system is lnxubuntu20

systemd New Fork (PID: 5177, Parent: 1)

logrotate (PID: 5177, Parent: 1, MD5: ff9f6831debb63e53a31ff8057143af6) Arguments: /usr/sbin/logrotate /etc/logrotate.conf

logrotate New Fork (PID: 5219, Parent: 5177)

gzip (PID: 5219, Parent: 5177, MD5: beef4e1f54ec90564d2acd57c0b0c897) Arguments: /bin/gzip

logrotate New Fork (PID: 5220, Parent: 5177)

sh (PID: 5220, Parent: 5177, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "\n\t\tinvoke-rc.d --quiet cups restart > /dev/null\n" logrotate_script "/var/log/cups/*log "

sh New Fork (PID: 5221, Parent: 5220)

invoke-rc.d (PID: 5221, Parent: 5220, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: invoke-rc.d --quiet cups restart

invoke-rc.d New Fork (PID: 5222, Parent: 5221)

runlevel (PID: 5222, Parent: 5221, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: /sbin/runlevel

invoke-rc.d New Fork (PID: 5223, Parent: 5221)

systemctl (PID: 5223, Parent: 5221, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl --quiet is-enabled cups.service

invoke-rc.d New Fork (PID: 5224, Parent: 5221)

ls (PID: 5224, Parent: 5221, MD5: e7793f15c2ff7e747b4bc7079f5cd4f7) Arguments: ls /etc/rc[S2345].d/S[0-9][0-9]cups

invoke-rc.d New Fork (PID: 5225, Parent: 5221)

systemctl (PID: 5225, Parent: 5221, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl --quiet is-active cups.service

logrotate New Fork (PID: 5226, Parent: 5177)

gzip (PID: 5226, Parent: 5177, MD5: beef4e1f54ec90564d2acd57c0b0c897) Arguments: /bin/gzip

logrotate New Fork (PID: 5227, Parent: 5177)

sh (PID: 5227, Parent: 5177, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c /usr/lib/rsyslog/rsyslog-rotate logrotate_script /var/log/syslog

sh New Fork (PID: 5229, Parent: 5227)

rsyslog-rotate (PID: 5229, Parent: 5227, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /usr/lib/rsyslog/rsyslog-rotate

rsyslog-rotate New Fork (PID: 5230, Parent: 5229)

systemctl (PID: 5230, Parent: 5229, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl kill -s HUP rsyslog.service

dash New Fork (PID: 5239, Parent: 4332)

cat (PID: 5239, Parent: 4332, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /tmp/tmp.Qx6sCqhUAx

dash New Fork (PID: 5240, Parent: 4332)

head (PID: 5240, Parent: 4332, MD5: fd96a67145172477dd57131396fc9608) Arguments: head -n 10

dash New Fork (PID: 5241, Parent: 4332)

tr (PID: 5241, Parent: 4332, MD5: fbd1402dd9f72d8ebfff00ce7c3a7bb5) Arguments: tr -d \\000-\\011\\013\\014\\016-\\037

dash New Fork (PID: 5242, Parent: 4332)

cut (PID: 5242, Parent: 4332, MD5: d8ed0ea8f22c0de0f8692d4d9f1759d3) Arguments: cut -c -80

dash New Fork (PID: 5243, Parent: 4332)

cat (PID: 5243, Parent: 4332, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /tmp/tmp.Qx6sCqhUAx

dash New Fork (PID: 5244, Parent: 4332)

head (PID: 5244, Parent: 4332, MD5: fd96a67145172477dd57131396fc9608) Arguments: head -n 10

dash New Fork (PID: 5245, Parent: 4332)

tr (PID: 5245, Parent: 4332, MD5: fbd1402dd9f72d8ebfff00ce7c3a7bb5) Arguments: tr -d \\000-\\011\\013\\014\\016-\\037

dash New Fork (PID: 5246, Parent: 4332)

cut (PID: 5246, Parent: 4332, MD5: d8ed0ea8f22c0de0f8692d4d9f1759d3) Arguments: cut -c -80

dash New Fork (PID: 5247, Parent: 4332)

rm (PID: 5247, Parent: 4332, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.Qx6sCqhUAx /tmp/tmp.ChPykC47j2 /tmp/tmp.PTIO2VlqDw

phantom.arm7 (PID: 5282, Parent: 5108, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/phantom.arm7

phantom.arm7 New Fork (PID: 5284, Parent: 5282)

phantom.arm7 New Fork (PID: 5384, Parent: 5284)

phantom.arm7 New Fork (PID: 5385, Parent: 5284)

phantom.arm7 New Fork (PID: 5388, Parent: 5385)

phantom.arm7 New Fork (PID: 5397, Parent: 5388)

phantom.arm7 New Fork (PID: 5398, Parent: 5388)

phantom.arm7 New Fork (PID: 5389, Parent: 5385)

phantom.arm7 New Fork (PID: 5392, Parent: 5385)

phantom.arm7 New Fork (PID: 5285, Parent: 5282)

phantom.arm7 New Fork (PID: 5287, Parent: 5282)

phantom.arm7 New Fork (PID: 5290, Parent: 5287)

phantom.arm7 New Fork (PID: 5380, Parent: 5290)

phantom.arm7 New Fork (PID: 5382, Parent: 5290)

phantom.arm7 New Fork (PID: 5291, Parent: 5287)

phantom.arm7 New Fork (PID: 5294, Parent: 5287)

cleanup

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
phantom.arm7	SUSP_ELF_LNX_UPX_Compressed_File	Detects a suspicious ELF binary with UPX compression	Florian Roth	0x7c8c:$s1: PROT_EXEC\|PROT_WRITE failed. 0x7cfb:$s2: $Id: UPX 0x7cac:$s3: $Info: This file is packed with the UPX executable packer

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Mirai_12	Yara detected Mirai	Joe Security

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: phantom.arm7	Virustotal: Detection: 41%			Perma Link
Source: phantom.arm7	ReversingLabs: Detection: 44%

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 716 INFO TELNET access 186.7.192.35:23 -> 192.168.2.23:49572
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 14.167.206.80:23 -> 192.168.2.23:53454
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 14.167.206.80:23 -> 192.168.2.23:53454
Source: Traffic	Snort IDS: 716 INFO TELNET access 186.7.192.35:23 -> 192.168.2.23:49592
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 118.122.237.221:23 -> 192.168.2.23:41146
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 74.198.250.247:23 -> 192.168.2.23:41632
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 74.198.250.247:23 -> 192.168.2.23:41632
Source: Traffic	Snort IDS: 716 INFO TELNET access 186.7.192.35:23 -> 192.168.2.23:49598
Source: Traffic	Snort IDS: 716 INFO TELNET access 186.7.192.35:23 -> 192.168.2.23:49634
Source: Traffic	Snort IDS: 716 INFO TELNET access 186.7.192.35:23 -> 192.168.2.23:49686
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 74.198.250.247:23 -> 192.168.2.23:41746
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 74.198.250.247:23 -> 192.168.2.23:41746
Source: Traffic	Snort IDS: 716 INFO TELNET access 186.7.192.35:23 -> 192.168.2.23:49722
Source: Traffic	Snort IDS: 716 INFO TELNET access 222.168.28.243:23 -> 192.168.2.23:33916
Source: Traffic	Snort IDS: 716 INFO TELNET access 222.168.28.243:23 -> 192.168.2.23:33922
Source: Traffic	Snort IDS: 716 INFO TELNET access 186.7.192.35:23 -> 192.168.2.23:49738
Source: Traffic	Snort IDS: 716 INFO TELNET access 222.168.28.243:23 -> 192.168.2.23:33926
Source: Traffic	Snort IDS: 716 INFO TELNET access 222.168.28.243:23 -> 192.168.2.23:33930
Source: Traffic	Snort IDS: 716 INFO TELNET access 222.168.28.243:23 -> 192.168.2.23:33938
Source: Traffic	Snort IDS: 716 INFO TELNET access 222.168.28.243:23 -> 192.168.2.23:33946
Source: Traffic	Snort IDS: 716 INFO TELNET access 186.7.192.35:23 -> 192.168.2.23:49758
Source: Traffic	Snort IDS: 716 INFO TELNET access 222.168.28.243:23 -> 192.168.2.23:33954
Source: Traffic	Snort IDS: 716 INFO TELNET access 222.168.28.243:23 -> 192.168.2.23:33956
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 74.198.250.247:23 -> 192.168.2.23:41804
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 74.198.250.247:23 -> 192.168.2.23:41804
Source: Traffic	Snort IDS: 716 INFO TELNET access 222.168.28.243:23 -> 192.168.2.23:33966
Source: Traffic	Snort IDS: 716 INFO TELNET access 186.7.192.35:23 -> 192.168.2.23:49786
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 108.16.178.69:23 -> 192.168.2.23:38248
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 108.16.178.69:23 -> 192.168.2.23:38248
Source: Traffic	Snort IDS: 716 INFO TELNET access 222.168.28.243:23 -> 192.168.2.23:33968
Source: Traffic	Snort IDS: 716 INFO TELNET access 115.236.190.10:23 -> 192.168.2.23:45982
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 115.236.190.10:23 -> 192.168.2.23:45982
Source: Traffic	Snort IDS: 716 INFO TELNET access 89.173.230.40:23 -> 192.168.2.23:55336
Source: Traffic	Snort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:41846 -> 74.198.250.247:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 115.236.190.10:23 -> 192.168.2.23:45996
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 14.167.206.80:23 -> 192.168.2.23:53696
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 14.167.206.80:23 -> 192.168.2.23:53696
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 74.198.250.247:23 -> 192.168.2.23:41846
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 74.198.250.247:23 -> 192.168.2.23:41846
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 115.236.190.10:23 -> 192.168.2.23:45996
Source: Traffic	Snort IDS: 716 INFO TELNET access 115.236.190.10:23 -> 192.168.2.23:46026
Source: Traffic	Snort IDS: 716 INFO TELNET access 200.58.145.237:23 -> 192.168.2.23:55940
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 115.236.190.10:23 -> 192.168.2.23:46026
Source: Traffic	Snort IDS: 716 INFO TELNET access 115.236.190.10:23 -> 192.168.2.23:46040
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 74.198.250.247:23 -> 192.168.2.23:41888
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 74.198.250.247:23 -> 192.168.2.23:41888
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 115.236.190.10:23 -> 192.168.2.23:46040
Source: Traffic	Snort IDS: 716 INFO TELNET access 115.236.190.10:23 -> 192.168.2.23:46050
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 72.207.43.142:23 -> 192.168.2.23:55956
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 72.207.43.142:23 -> 192.168.2.23:55956
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 115.236.190.10:23 -> 192.168.2.23:46050
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 74.198.250.247:23 -> 192.168.2.23:41906
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 74.198.250.247:23 -> 192.168.2.23:41906
Source: Traffic	Snort IDS: 716 INFO TELNET access 115.236.190.10:23 -> 192.168.2.23:46102
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 72.207.43.142:23 -> 192.168.2.23:55970
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 72.207.43.142:23 -> 192.168.2.23:55970
Source: Traffic	Snort IDS: 716 INFO TELNET access 89.173.230.40:23 -> 192.168.2.23:55456
Source: Traffic	Snort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:56020 -> 72.207.43.142:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 108.16.178.69:23 -> 192.168.2.23:38380
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 108.16.178.69:23 -> 192.168.2.23:38380
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 115.236.190.10:23 -> 192.168.2.23:46102
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 66.76.191.155:23 -> 192.168.2.23:46154
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 66.76.191.155:23 -> 192.168.2.23:46154
Source: Traffic	Snort IDS: 716 INFO TELNET access 115.236.190.10:23 -> 192.168.2.23:46124
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 72.207.43.142:23 -> 192.168.2.23:56030
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 72.207.43.142:23 -> 192.168.2.23:56030
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 74.198.250.247:23 -> 192.168.2.23:41976
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 74.198.250.247:23 -> 192.168.2.23:41976
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 115.236.190.10:23 -> 192.168.2.23:46124
Source: Traffic	Snort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:53832 -> 14.167.206.80:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 14.167.206.80:23 -> 192.168.2.23:53832
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 14.167.206.80:23 -> 192.168.2.23:53832
Source: Traffic	Snort IDS: 716 INFO TELNET access 200.58.145.237:23 -> 192.168.2.23:56046
Source: Traffic	Snort IDS: 716 INFO TELNET access 115.236.190.10:23 -> 192.168.2.23:46146
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 66.76.191.155:23 -> 192.168.2.23:46182
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 66.76.191.155:23 -> 192.168.2.23:46182
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 115.236.190.10:23 -> 192.168.2.23:46146
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 72.207.43.142:23 -> 192.168.2.23:56054
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 72.207.43.142:23 -> 192.168.2.23:56054
Source: Traffic	Snort IDS: 716 INFO TELNET access 115.236.190.10:23 -> 192.168.2.23:46206
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 74.198.250.247:23 -> 192.168.2.23:42024
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 74.198.250.247:23 -> 192.168.2.23:42024
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 115.236.190.10:23 -> 192.168.2.23:46206
Source: Traffic	Snort IDS: 716 INFO TELNET access 115.236.190.10:23 -> 192.168.2.23:46238
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 66.76.191.155:23 -> 192.168.2.23:46280
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 66.76.191.155:23 -> 192.168.2.23:46280
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 115.236.190.10:23 -> 192.168.2.23:46238
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 74.198.250.247:23 -> 192.168.2.23:42094
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 74.198.250.247:23 -> 192.168.2.23:42094
Source: Traffic	Snort IDS: 716 INFO TELNET access 89.173.230.40:23 -> 192.168.2.23:55610
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 66.76.191.155:23 -> 192.168.2.23:46346
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 66.76.191.155:23 -> 192.168.2.23:46346
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 92.207.147.166:23 -> 192.168.2.23:58992
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 92.207.147.166:23 -> 192.168.2.23:58992
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 108.16.178.69:23 -> 192.168.2.23:38576
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 108.16.178.69:23 -> 192.168.2.23:38576
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 74.198.250.247:23 -> 192.168.2.23:42170
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 74.198.250.247:23 -> 192.168.2.23:42170
Source: Traffic	Snort IDS: 716 INFO TELNET access 200.58.145.237:23 -> 192.168.2.23:56242
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 66.76.191.155:23 -> 192.168.2.23:46390
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 66.76.191.155:23 -> 192.168.2.23:46390
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 14.167.206.80:23 -> 192.168.2.23:54054
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 14.167.206.80:23 -> 192.168.2.23:54054
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.160.106.38:23 -> 192.168.2.23:41842
Source: Traffic	Snort IDS: 404 ICMP Destination Unreachable Protocol Unreachable 188.151.251.33: -> 192.168.2.23:
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 124.160.106.38:23 -> 192.168.2.23:41842
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 66.134.211.217:23 -> 192.168.2.23:38844
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 66.134.211.217:23 -> 192.168.2.23:38844
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.160.106.38:23 -> 192.168.2.23:41866
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 66.134.211.217:23 -> 192.168.2.23:38872
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 66.134.211.217:23 -> 192.168.2.23:38872
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 66.76.191.155:23 -> 192.168.2.23:46424
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 66.76.191.155:23 -> 192.168.2.23:46424
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 124.160.106.38:23 -> 192.168.2.23:41866
Source: Traffic	Snort IDS: 716 INFO TELNET access 190.167.136.26:23 -> 192.168.2.23:42840
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 66.134.211.217:23 -> 192.168.2.23:38888
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 66.134.211.217:23 -> 192.168.2.23:38888
Source: Traffic	Snort IDS: 716 INFO TELNET access 89.173.230.40:23 -> 192.168.2.23:55760
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.160.106.38:23 -> 192.168.2.23:41908
Source: Traffic	Snort IDS: 716 INFO TELNET access 190.167.136.26:23 -> 192.168.2.23:42860
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 14.161.31.122:23 -> 192.168.2.23:58914
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 14.161.31.122:23 -> 192.168.2.23:58914
Source: Traffic	Snort IDS: 716 INFO TELNET access 186.6.237.240:23 -> 192.168.2.23:43246
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 66.134.211.217:23 -> 192.168.2.23:38934
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 66.134.211.217:23 -> 192.168.2.23:38934
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 124.160.106.38:23 -> 192.168.2.23:41908
Source: Traffic	Snort IDS: 716 INFO TELNET access 186.6.237.240:23 -> 192.168.2.23:43278
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 66.134.211.217:23 -> 192.168.2.23:38954
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 66.134.211.217:23 -> 192.168.2.23:38954
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.160.106.38:23 -> 192.168.2.23:41968
Source: Traffic	Snort IDS: 716 INFO TELNET access 190.167.136.26:23 -> 192.168.2.23:42910
Source: Traffic	Snort IDS: 716 INFO TELNET access 186.6.237.240:23 -> 192.168.2.23:43296
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 66.76.191.155:23 -> 192.168.2.23:46518
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 66.76.191.155:23 -> 192.168.2.23:46518
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 92.207.147.166:23 -> 192.168.2.23:59182
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 92.207.147.166:23 -> 192.168.2.23:59182
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 124.160.106.38:23 -> 192.168.2.23:41968
Source: Traffic	Snort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:38776 -> 108.16.178.69:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 66.134.211.217:23 -> 192.168.2.23:38976
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 66.134.211.217:23 -> 192.168.2.23:38976
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 108.16.178.69:23 -> 192.168.2.23:38776
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 108.16.178.69:23 -> 192.168.2.23:38776
Source: Traffic	Snort IDS: 716 INFO TELNET access 200.58.145.237:23 -> 192.168.2.23:56420
Source: Traffic	Snort IDS: 716 INFO TELNET access 186.6.237.240:23 -> 192.168.2.23:43316
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.160.106.38:23 -> 192.168.2.23:42024
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 66.134.211.217:23 -> 192.168.2.23:39004
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 66.134.211.217:23 -> 192.168.2.23:39004
Source: Traffic	Snort IDS: 716 INFO TELNET access 190.167.136.26:23 -> 192.168.2.23:42944
Source: Traffic	Snort IDS: 716 INFO TELNET access 118.46.98.16:23 -> 192.168.2.23:53028
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 124.160.106.38:23 -> 192.168.2.23:42024
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 118.46.98.16:23 -> 192.168.2.23:53028
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 209.105.129.228:23 -> 192.168.2.23:40670
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 209.105.129.228:23 -> 192.168.2.23:40670
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 66.134.211.217:23 -> 192.168.2.23:39066
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 66.134.211.217:23 -> 192.168.2.23:39066
Source: Traffic	Snort IDS: 716 INFO TELNET access 186.6.237.240:23 -> 192.168.2.23:43362
Source: Traffic	Snort IDS: 716 INFO TELNET access 86.122.208.171:23 -> 192.168.2.23:40422
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 14.23.126.252:23 -> 192.168.2.23:37036
Source: Traffic	Snort IDS: 716 INFO TELNET access 86.122.208.171:23 -> 192.168.2.23:40438
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 66.76.191.155:23 -> 192.168.2.23:46620
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 66.76.191.155:23 -> 192.168.2.23:46620
Source: Traffic	Snort IDS: 716 INFO TELNET access 190.167.136.26:23 -> 192.168.2.23:43032
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 89.28.118.143:23 -> 192.168.2.23:45014
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 89.28.118.143:23 -> 192.168.2.23:45014
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.160.106.38:23 -> 192.168.2.23:42120
Source: Traffic	Snort IDS: 716 INFO TELNET access 118.46.98.16:23 -> 192.168.2.23:53106
Source: Traffic	Snort IDS: 716 INFO TELNET access 86.122.208.171:23 -> 192.168.2.23:40456
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 66.134.211.217:23 -> 192.168.2.23:39120
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 66.134.211.217:23 -> 192.168.2.23:39120
Source: Traffic	Snort IDS: 716 INFO TELNET access 86.122.208.171:23 -> 192.168.2.23:40460
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 118.46.98.16:23 -> 192.168.2.23:53106
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.167.234.78:23 -> 192.168.2.23:34316
Source: Traffic	Snort IDS: 716 INFO TELNET access 86.122.208.171:23 -> 192.168.2.23:40472
Source: Traffic	Snort IDS: 716 INFO TELNET access 186.6.237.240:23 -> 192.168.2.23:43438
Source: Traffic	Snort IDS: 716 INFO TELNET access 86.122.208.171:23 -> 192.168.2.23:40492
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 124.160.106.38:23 -> 192.168.2.23:42120
Source: Traffic	Snort IDS: 716 INFO TELNET access 86.122.208.171:23 -> 192.168.2.23:40514
Source: Traffic	Snort IDS: 716 INFO TELNET access 85.91.114.142:23 -> 192.168.2.23:40434
Source: Traffic	Snort IDS: 716 INFO TELNET access 38.18.160.116:23 -> 192.168.2.23:36578
Source: Traffic	Snort IDS: 716 INFO TELNET access 190.167.136.26:23 -> 192.168.2.23:43096
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.113.147.54:23 -> 192.168.2.23:45482
Source: Traffic	Snort IDS: 716 INFO TELNET access 118.46.98.16:23 -> 192.168.2.23:53182
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 66.134.211.217:23 -> 192.168.2.23:39166
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 66.134.211.217:23 -> 192.168.2.23:39166
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 14.167.206.80:23 -> 192.168.2.23:54382
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 14.167.206.80:23 -> 192.168.2.23:54382
Source: Traffic	Snort IDS: 716 INFO TELNET access 186.6.237.240:23 -> 192.168.2.23:43508
Source: Traffic	Snort IDS: 716 INFO TELNET access 86.122.208.171:23 -> 192.168.2.23:40528
Source: Traffic	Snort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:38888 -> 118.39.94.196:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 86.122.208.171:23 -> 192.168.2.23:40530
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 118.46.98.16:23 -> 192.168.2.23:53182
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 124.167.234.78:23 -> 192.168.2.23:34316
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.160.106.38:23 -> 192.168.2.23:42216
Source: Traffic	Snort IDS: 716 INFO TELNET access 86.122.208.171:23 -> 192.168.2.23:40552
Source: Traffic	Snort IDS: 716 INFO TELNET access 186.6.237.240:23 -> 192.168.2.23:43538
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 14.163.152.184:23 -> 192.168.2.23:48396
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 14.163.152.184:23 -> 192.168.2.23:48396
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 38.18.160.116:23 -> 192.168.2.23:36578
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 38.18.160.116:23 -> 192.168.2.23:36578
Source: Traffic	Snort IDS: 716 INFO TELNET access 190.167.136.26:23 -> 192.168.2.23:43178
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.113.147.54:23 -> 192.168.2.23:45530
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 118.171.193.102:23 -> 192.168.2.23:40804
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 118.171.193.102:23 -> 192.168.2.23:40804
Source: Traffic	Snort IDS: 716 INFO TELNET access 118.46.98.16:23 -> 192.168.2.23:53224
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 14.23.126.252:23 -> 192.168.2.23:37186
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 118.39.94.196:23 -> 192.168.2.23:38888
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 118.39.94.196:23 -> 192.168.2.23:38888
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 124.160.106.38:23 -> 192.168.2.23:42216
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.167.234.78:23 -> 192.168.2.23:34424
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 118.46.98.16:23 -> 192.168.2.23:53224
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 66.76.191.155:23 -> 192.168.2.23:46792
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 66.76.191.155:23 -> 192.168.2.23:46792
Source: Traffic	Snort IDS: 716 INFO TELNET access 190.167.136.26:23 -> 192.168.2.23:43210
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 41.85.220.35:23 -> 192.168.2.23:38308
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 41.85.220.35:23 -> 192.168.2.23:38308
Source: Traffic	Snort IDS: 716 INFO TELNET access 186.6.237.240:23 -> 192.168.2.23:43572
Source: Traffic	Snort IDS: 716 INFO TELNET access 123.129.52.146:23 -> 192.168.2.23:37022
Source: Traffic	Snort IDS: 716 INFO TELNET access 89.173.230.40:23 -> 192.168.2.23:56136
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 112.54.7.208:23 -> 192.168.2.23:48682
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.160.106.38:23 -> 192.168.2.23:42302
Source: Traffic	Snort IDS: 716 INFO TELNET access 118.46.98.16:23 -> 192.168.2.23:53288
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 124.167.234.78:23 -> 192.168.2.23:34424
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 123.129.52.146:23 -> 192.168.2.23:37022
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.113.147.54:23 -> 192.168.2.23:45614
Source: Traffic	Snort IDS: 716 INFO TELNET access 186.6.237.240:23 -> 192.168.2.23:43638
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 118.46.98.16:23 -> 192.168.2.23:53288
Source: Traffic	Snort IDS: 716 INFO TELNET access 38.18.160.116:23 -> 192.168.2.23:36728
Source: Traffic	Snort IDS: 716 INFO TELNET access 80.234.123.34:23 -> 192.168.2.23:59832
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 124.160.106.38:23 -> 192.168.2.23:42302
Source: Traffic	Snort IDS: 716 INFO TELNET access 190.167.136.26:23 -> 192.168.2.23:43268
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.167.234.78:23 -> 192.168.2.23:34582
Source: Traffic	Snort IDS: 716 INFO TELNET access 123.129.52.146:23 -> 192.168.2.23:37154
Source: Traffic	Snort IDS: 716 INFO TELNET access 80.234.123.34:23 -> 192.168.2.23:59908
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.113.147.54:23 -> 192.168.2.23:45732
Source: Traffic	Snort IDS: 716 INFO TELNET access 118.46.98.16:23 -> 192.168.2.23:53420
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 38.18.160.116:23 -> 192.168.2.23:36728
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 38.18.160.116:23 -> 192.168.2.23:36728
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.160.106.38:23 -> 192.168.2.23:42472
Source: Traffic	Snort IDS: 716 INFO TELNET access 111.42.97.180:23 -> 192.168.2.23:35212
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 123.129.52.146:23 -> 192.168.2.23:37154
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 14.161.31.122:23 -> 192.168.2.23:59448
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 14.161.31.122:23 -> 192.168.2.23:59448
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 118.46.98.16:23 -> 192.168.2.23:53420
Source: Traffic	Snort IDS: 716 INFO TELNET access 80.234.123.34:23 -> 192.168.2.23:59980
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 118.171.193.102:23 -> 192.168.2.23:41026
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 118.171.193.102:23 -> 192.168.2.23:41026
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 124.167.234.78:23 -> 192.168.2.23:34582
Source: Traffic	Snort IDS: 716 INFO TELNET access 190.167.136.26:23 -> 192.168.2.23:43450
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 118.39.94.196:23 -> 192.168.2.23:39106
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 118.39.94.196:23 -> 192.168.2.23:39106
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 41.85.220.35:23 -> 192.168.2.23:38556
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 41.85.220.35:23 -> 192.168.2.23:38556
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 124.160.106.38:23 -> 192.168.2.23:42472
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 66.76.191.155:23 -> 192.168.2.23:47026
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 66.76.191.155:23 -> 192.168.2.23:47026
Source: Traffic	Snort IDS: 716 INFO TELNET access 118.46.98.16:23 -> 192.168.2.23:53538
Source: Traffic	Snort IDS: 716 INFO TELNET access 123.129.52.146:23 -> 192.168.2.23:37296
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.113.147.54:23 -> 192.168.2.23:45858
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 92.207.147.166:23 -> 192.168.2.23:59790
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 92.207.147.166:23 -> 192.168.2.23:59790
Source: Traffic	Snort IDS: 716 INFO TELNET access 200.58.145.237:23 -> 192.168.2.23:57010
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 14.23.126.252:23 -> 192.168.2.23:37514
Source: Traffic	Snort IDS: 716 INFO TELNET access 80.234.123.34:23 -> 192.168.2.23:60032
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 111.39.7.119:23 -> 192.168.2.23:40608
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 118.46.98.16:23 -> 192.168.2.23:53538
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.167.234.78:23 -> 192.168.2.23:34776
Source: Traffic	Snort IDS: 716 INFO TELNET access 111.42.97.180:23 -> 192.168.2.23:35366
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.160.106.38:23 -> 192.168.2.23:42636
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 123.129.52.146:23 -> 192.168.2.23:37296
Source: Traffic	Snort IDS: 716 INFO TELNET access 38.18.160.116:23 -> 192.168.2.23:37052
Source: Traffic	Snort IDS: 716 INFO TELNET access 80.234.123.34:23 -> 192.168.2.23:60164
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.113.147.54:23 -> 192.168.2.23:45976
Source: Traffic	Snort IDS: 716 INFO TELNET access 41.60.254.69:23 -> 192.168.2.23:56764
Source: Traffic	Snort IDS: 716 INFO TELNET access 118.46.98.16:23 -> 192.168.2.23:53676
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 108.16.178.69:23 -> 192.168.2.23:39472
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 108.16.178.69:23 -> 192.168.2.23:39472
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 124.160.106.38:23 -> 192.168.2.23:42636
Source: Traffic	Snort IDS: 716 INFO TELNET access 80.234.123.34:23 -> 192.168.2.23:60228
Source: Traffic	Snort IDS: 716 INFO TELNET access 123.129.52.146:23 -> 192.168.2.23:37480
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 124.167.234.78:23 -> 192.168.2.23:34776
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 41.85.220.35:23 -> 192.168.2.23:38768
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 41.85.220.35:23 -> 192.168.2.23:38768
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 38.18.160.116:23 -> 192.168.2.23:37052
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 38.18.160.116:23 -> 192.168.2.23:37052
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 118.46.98.16:23 -> 192.168.2.23:53676
Source: Traffic	Snort IDS: 716 INFO TELNET access 111.42.97.180:23 -> 192.168.2.23:35540
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.113.147.54:23 -> 192.168.2.23:46106
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 89.28.118.143:23 -> 192.168.2.23:45722
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 89.28.118.143:23 -> 192.168.2.23:45722
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 14.23.126.252:23 -> 192.168.2.23:37760
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 123.129.52.146:23 -> 192.168.2.23:37480
Source: Traffic	Snort IDS: 716 INFO TELNET access 80.234.123.34:23 -> 192.168.2.23:60294
Source: Traffic	Snort IDS: 716 INFO TELNET access 124.167.234.78:23 -> 192.168.2.23:35028
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 209.105.129.228:23 -> 192.168.2.23:41458
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 209.105.129.228:23 -> 192.168.2.23:41458
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 74.50.34.127:23 -> 192.168.2.23:43590
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 74.50.34.127:23 -> 192.168.2.23:43590
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 118.39.94.196:23 -> 192.168.2.23:39468
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 118.39.94.196:23 -> 192.168.2.23:39468
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 118.171.193.102:23 -> 192.168.2.23:41396
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 118.171.193.102:23 -> 192.168.2.23:41396
Source: Traffic	Snort IDS: 716 INFO TELNET access 65.113.147.54:23 -> 192.168.2.23:46192
Source: Traffic	Snort IDS: 716 INFO TELNET access 85.91.114.142:23 -> 192.168.2.23:41148
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 112.113.68.13:23 -> 192.168.2.23:46374
Source: Traffic	Snort IDS: 716 INFO TELNET access 123.129.52.146:23 -> 192.168.2.23:37642
Source: Traffic	Snort IDS: 716 INFO TELNET access 111.42.97.180:23 -> 192.168.2.23:35654

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54754
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54762
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54768
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54778
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54786
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54798
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54806
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54810
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54816
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54826

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: global traffic

TCP traffic: 192.168.2.23:54994 -> 95.213.159.92:1312

Source: /tmp/phantom.arm7 (PID: 5284)	Socket: 0.0.0.0::0
Source: /tmp/phantom.arm7 (PID: 5290)	Socket: 0.0.0.0::0

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 95.213.159.92
Source: unknown	TCP traffic detected without corresponding DNS query: 153.139.230.252
Source: unknown	TCP traffic detected without corresponding DNS query: 123.221.151.252
Source: unknown	TCP traffic detected without corresponding DNS query: 105.250.1.51
Source: unknown	TCP traffic detected without corresponding DNS query: 80.182.149.14
Source: unknown	TCP traffic detected without corresponding DNS query: 69.63.235.244
Source: unknown	TCP traffic detected without corresponding DNS query: 202.38.222.54
Source: unknown	TCP traffic detected without corresponding DNS query: 39.108.85.54
Source: unknown	TCP traffic detected without corresponding DNS query: 170.230.146.167
Source: unknown	TCP traffic detected without corresponding DNS query: 45.195.54.176
Source: unknown	TCP traffic detected without corresponding DNS query: 66.78.43.66
Source: unknown	TCP traffic detected without corresponding DNS query: 169.101.252.215
Source: unknown	TCP traffic detected without corresponding DNS query: 166.18.223.23
Source: unknown	TCP traffic detected without corresponding DNS query: 38.7.151.164
Source: unknown	TCP traffic detected without corresponding DNS query: 39.11.214.28
Source: unknown	TCP traffic detected without corresponding DNS query: 186.216.131.79
Source: unknown	TCP traffic detected without corresponding DNS query: 5.109.28.108
Source: unknown	TCP traffic detected without corresponding DNS query: 189.47.96.242
Source: unknown	TCP traffic detected without corresponding DNS query: 118.105.139.155
Source: unknown	TCP traffic detected without corresponding DNS query: 141.175.204.222
Source: unknown	TCP traffic detected without corresponding DNS query: 173.165.57.26
Source: unknown	TCP traffic detected without corresponding DNS query: 4.32.226.137
Source: unknown	TCP traffic detected without corresponding DNS query: 204.152.235.229
Source: unknown	TCP traffic detected without corresponding DNS query: 164.203.30.88
Source: unknown	TCP traffic detected without corresponding DNS query: 83.232.165.61
Source: unknown	TCP traffic detected without corresponding DNS query: 126.133.134.80
Source: unknown	TCP traffic detected without corresponding DNS query: 40.50.99.115
Source: unknown	TCP traffic detected without corresponding DNS query: 135.124.37.229
Source: unknown	TCP traffic detected without corresponding DNS query: 173.38.214.85
Source: unknown	TCP traffic detected without corresponding DNS query: 118.202.116.127
Source: unknown	TCP traffic detected without corresponding DNS query: 155.121.127.209
Source: unknown	TCP traffic detected without corresponding DNS query: 27.159.217.186
Source: unknown	TCP traffic detected without corresponding DNS query: 212.173.94.145
Source: unknown	TCP traffic detected without corresponding DNS query: 255.23.93.99
Source: unknown	TCP traffic detected without corresponding DNS query: 71.248.61.114
Source: unknown	TCP traffic detected without corresponding DNS query: 241.187.223.176
Source: unknown	TCP traffic detected without corresponding DNS query: 62.112.195.220
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.222.80
Source: unknown	TCP traffic detected without corresponding DNS query: 243.183.36.115
Source: unknown	TCP traffic detected without corresponding DNS query: 247.5.12.197
Source: unknown	TCP traffic detected without corresponding DNS query: 251.12.93.44
Source: unknown	TCP traffic detected without corresponding DNS query: 159.56.97.232
Source: unknown	TCP traffic detected without corresponding DNS query: 62.93.197.98
Source: unknown	TCP traffic detected without corresponding DNS query: 252.148.241.146
Source: unknown	TCP traffic detected without corresponding DNS query: 124.53.34.8
Source: unknown	TCP traffic detected without corresponding DNS query: 164.125.64.26
Source: unknown	TCP traffic detected without corresponding DNS query: 58.206.8.139
Source: unknown	TCP traffic detected without corresponding DNS query: 173.175.106.184
Source: unknown	TCP traffic detected without corresponding DNS query: 16.220.22.35
Source: unknown	TCP traffic detected without corresponding DNS query: 92.176.58.157

Source: phantom.arm7	String found in binary or memory: http://upx.sf.net
Source: motd-news.41.dr	String found in binary or memory: https://ubuntu.com/blog/microk8s-memory-optimisation

Source: LOAD without section mappings

Program segment: 0x8000

Source: phantom.arm7, type: SAMPLE

Matched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4

Source: /tmp/phantom.arm7 (PID: 5284)	SIGKILL sent: pid: 936, result: successful
Source: /tmp/phantom.arm7 (PID: 5290)	SIGKILL sent: pid: 936, result: successful

Source: classification engine

Classification label: mal72.troj.evad.linARM7@0/4@0/0

Data Obfuscation:

Sample is packed with UPX

Show sources

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Source: /tmp/phantom.arm7 (PID: 5284)	File opened: /proc/491/fd
Source: /tmp/phantom.arm7 (PID: 5284)	File opened: /proc/793/fd
Source: /tmp/phantom.arm7 (PID: 5284)	File opened: /proc/772/fd
Source: /tmp/phantom.arm7 (PID: 5284)	File opened: /proc/796/fd
Source: /tmp/phantom.arm7 (PID: 5284)	File opened: /proc/774/fd
Source: /tmp/phantom.arm7 (PID: 5284)	File opened: /proc/797/fd
Source: /tmp/phantom.arm7 (PID: 5284)	File opened: /proc/777/fd
Source: /tmp/phantom.arm7 (PID: 5284)	File opened: /proc/799/fd
Source: /tmp/phantom.arm7 (PID: 5284)	File opened: /proc/658/fd
Source: /tmp/phantom.arm7 (PID: 5284)	File opened: /proc/912/fd
Source: /tmp/phantom.arm7 (PID: 5284)	File opened: /proc/759/fd
Source: /tmp/phantom.arm7 (PID: 5284)	File opened: /proc/936/fd
Source: /tmp/phantom.arm7 (PID: 5284)	File opened: /proc/918/fd
Source: /tmp/phantom.arm7 (PID: 5284)	File opened: /proc/1/fd
Source: /tmp/phantom.arm7 (PID: 5284)	File opened: /proc/761/fd
Source: /tmp/phantom.arm7 (PID: 5284)	File opened: /proc/785/fd
Source: /tmp/phantom.arm7 (PID: 5284)	File opened: /proc/884/fd
Source: /tmp/phantom.arm7 (PID: 5284)	File opened: /proc/720/fd
Source: /tmp/phantom.arm7 (PID: 5284)	File opened: /proc/721/fd
Source: /tmp/phantom.arm7 (PID: 5284)	File opened: /proc/788/fd
Source: /tmp/phantom.arm7 (PID: 5284)	File opened: /proc/789/fd
Source: /tmp/phantom.arm7 (PID: 5284)	File opened: /proc/800/fd
Source: /tmp/phantom.arm7 (PID: 5284)	File opened: /proc/801/fd
Source: /tmp/phantom.arm7 (PID: 5284)	File opened: /proc/847/fd
Source: /tmp/phantom.arm7 (PID: 5284)	File opened: /proc/904/fd
Source: /tmp/phantom.arm7 (PID: 5290)	File opened: /proc/491/fd
Source: /tmp/phantom.arm7 (PID: 5290)	File opened: /proc/793/fd
Source: /tmp/phantom.arm7 (PID: 5290)	File opened: /proc/772/fd
Source: /tmp/phantom.arm7 (PID: 5290)	File opened: /proc/796/fd
Source: /tmp/phantom.arm7 (PID: 5290)	File opened: /proc/774/fd
Source: /tmp/phantom.arm7 (PID: 5290)	File opened: /proc/797/fd
Source: /tmp/phantom.arm7 (PID: 5290)	File opened: /proc/777/fd
Source: /tmp/phantom.arm7 (PID: 5290)	File opened: /proc/799/fd
Source: /tmp/phantom.arm7 (PID: 5290)	File opened: /proc/658/fd
Source: /tmp/phantom.arm7 (PID: 5290)	File opened: /proc/912/fd
Source: /tmp/phantom.arm7 (PID: 5290)	File opened: /proc/759/fd
Source: /tmp/phantom.arm7 (PID: 5290)	File opened: /proc/936/fd
Source: /tmp/phantom.arm7 (PID: 5290)	File opened: /proc/918/fd
Source: /tmp/phantom.arm7 (PID: 5290)	File opened: /proc/1/fd
Source: /tmp/phantom.arm7 (PID: 5290)	File opened: /proc/761/fd
Source: /tmp/phantom.arm7 (PID: 5290)	File opened: /proc/785/fd
Source: /tmp/phantom.arm7 (PID: 5290)	File opened: /proc/884/fd
Source: /tmp/phantom.arm7 (PID: 5290)	File opened: /proc/720/fd
Source: /tmp/phantom.arm7 (PID: 5290)	File opened: /proc/721/fd
Source: /tmp/phantom.arm7 (PID: 5290)	File opened: /proc/788/fd
Source: /tmp/phantom.arm7 (PID: 5290)	File opened: /proc/789/fd
Source: /tmp/phantom.arm7 (PID: 5290)	File opened: /proc/800/fd
Source: /tmp/phantom.arm7 (PID: 5290)	File opened: /proc/801/fd
Source: /tmp/phantom.arm7 (PID: 5290)	File opened: /proc/847/fd
Source: /tmp/phantom.arm7 (PID: 5290)	File opened: /proc/904/fd

Source: /usr/sbin/invoke-rc.d (PID: 5223)	Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-enabled cups.service
Source: /usr/sbin/invoke-rc.d (PID: 5225)	Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active cups.service
Source: /usr/lib/rsyslog/rsyslog-rotate (PID: 5230)	Systemctl executable: /usr/bin/systemctl -> systemctl kill -s HUP rsyslog.service

Source: /usr/sbin/logrotate (PID: 5220)	Shell command executed: sh -c "\n\t\tinvoke-rc.d --quiet cups restart > /dev/null\n" logrotate_script "/var/log/cups/*log "
Source: /usr/sbin/logrotate (PID: 5227)	Shell command executed: sh -c /usr/lib/rsyslog/rsyslog-rotate logrotate_script /var/log/syslog

Source: /usr/bin/dash (PID: 5247)

Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.Qx6sCqhUAx /tmp/tmp.ChPykC47j2 /tmp/tmp.PTIO2VlqDw

Hooking and other Techniques for Hiding and Protection:

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54754
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54762
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54768
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54778
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54786
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54798
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54806
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54810
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54816
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 54826

Source: /tmp/phantom.arm7 (PID: 5282)

Queries kernel information via 'uname':

Source: /usr/sbin/logrotate (PID: 5177)

Truncated file: /var/log/syslog.1

Jump to behavior

Source: phantom.arm7, 5282.1.00000000be09fe06.0000000093de9c13.rw-.sdmp, phantom.arm7, 5284.1.00000000be09fe06.0000000093de9c13.rw-.sdmp, phantom.arm7, 5384.1.00000000be09fe06.0000000093de9c13.rw-.sdmp, phantom.arm7, 5397.1.00000000be09fe06.0000000093de9c13.rw-.sdmp, phantom.arm7, 5389.1.00000000be09fe06.0000000093de9c13.rw-.sdmp, phantom.arm7, 5285.1.00000000be09fe06.0000000093de9c13.rw-.sdmp, phantom.arm7, 5380.1.00000000be09fe06.0000000093de9c13.rw-.sdmp, phantom.arm7, 5291.1.00000000be09fe06.0000000093de9c13.rw-.sdmp	Binary or memory string: 6V!/etc/qemu-binfmt/arm
Source: phantom.arm7, 5282.1.00000000be09fe06.0000000093de9c13.rw-.sdmp, phantom.arm7, 5284.1.00000000be09fe06.0000000093de9c13.rw-.sdmp, phantom.arm7, 5384.1.00000000be09fe06.0000000093de9c13.rw-.sdmp, phantom.arm7, 5397.1.00000000be09fe06.0000000093de9c13.rw-.sdmp, phantom.arm7, 5389.1.00000000be09fe06.0000000093de9c13.rw-.sdmp, phantom.arm7, 5285.1.00000000be09fe06.0000000093de9c13.rw-.sdmp, phantom.arm7, 5380.1.00000000be09fe06.0000000093de9c13.rw-.sdmp, phantom.arm7, 5291.1.00000000be09fe06.0000000093de9c13.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: phantom.arm7, 5282.1.000000002227e047.00000000093dc27a.rw-.sdmp, phantom.arm7, 5284.1.000000002227e047.00000000093dc27a.rw-.sdmp, phantom.arm7, 5384.1.000000002227e047.00000000093dc27a.rw-.sdmp, phantom.arm7, 5397.1.000000002227e047.00000000093dc27a.rw-.sdmp, phantom.arm7, 5389.1.000000002227e047.00000000093dc27a.rw-.sdmp, phantom.arm7, 5285.1.000000002227e047.00000000093dc27a.rw-.sdmp, phantom.arm7, 5380.1.000000002227e047.00000000093dc27a.rw-.sdmp, phantom.arm7, 5291.1.000000002227e047.00000000093dc27a.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: phantom.arm7, 5282.1.000000002227e047.00000000093dc27a.rw-.sdmp, phantom.arm7, 5284.1.000000002227e047.00000000093dc27a.rw-.sdmp, phantom.arm7, 5384.1.000000002227e047.00000000093dc27a.rw-.sdmp, phantom.arm7, 5397.1.000000002227e047.00000000093dc27a.rw-.sdmp, phantom.arm7, 5389.1.000000002227e047.00000000093dc27a.rw-.sdmp, phantom.arm7, 5285.1.000000002227e047.00000000093dc27a.rw-.sdmp, phantom.arm7, 5380.1.000000002227e047.00000000093dc27a.rw-.sdmp, phantom.arm7, 5291.1.000000002227e047.00000000093dc27a.rw-.sdmp	Binary or memory string: *4x86_64/usr/bin/qemu-arm/tmp/phantom.arm7SUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/phantom.arm7

Stealing of Sensitive Information:

Yara detected Mirai

Show sources

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality:

Yara detected Mirai

Show sources

Source: Yara match

File source: dump.pcap, type: PCAP

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting1	Systemd Service1	Systemd Service1	Scripting1	OS Credential Dumping1	Security Software Discovery11	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Indicator Removal on Host1	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port11	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	File Deletion1	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
phantom.arm7	42%	Virustotal		Browse
phantom.arm7	44%	ReversingLabs	Linux.Trojan.Mirai

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	phantom.arm7	false		high
https://ubuntu.com/blog/microk8s-memory-optimisation	motd-news.41.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
218.213.98.248	unknown	Hong Kong	9293	HKNET-VIPNETNTTComAsiaLimitedHK	false
87.111.199.128	unknown	Spain	12578	APOLLO-ASLatviaLV	false
163.160.133.44	unknown	United Kingdom	786	JANETJiscServicesLimitedGB	false
152.10.14.188	unknown	United States	81	NCRENUS	false
197.70.12.24	unknown	South Africa	16637	MTNNS-ASZA	false
145.143.210.214	unknown	Netherlands	1103	SURFNET-NLSURFnetTheNetherlandsNL	false
241.177.126.73	unknown	Reserved	unknown	unknown	false
182.67.158.210	unknown	India	45609	BHARTI-MOBILITY-AS-APBhartiAirtelLtdASforGPRSService	false
139.182.20.199	unknown	United States	2152	CSUNET-NWUS	false
118.80.234.154	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
207.135.123.77	unknown	United States	6379	ALINKUS	false
106.202.148.185	unknown	India	45609	BHARTI-MOBILITY-AS-APBhartiAirtelLtdASforGPRSService	false
248.232.208.138	unknown	Reserved	unknown	unknown	false
34.143.68.120	unknown	United States	2686	ATGS-MMD-ASUS	false
42.114.32.124	unknown	Viet Nam	18403	FPT-AS-APTheCorporationforFinancingPromotingTechnolo	false
247.246.111.236	unknown	Reserved	unknown	unknown	false
27.104.18.65	unknown	Singapore	4773	MOBILEONELTD-AS-APMobileOneLtdMobileInternetServicePr	false
100.228.177.57	unknown	United States	21928	T-MOBILE-AS21928US	false
147.124.15.85	unknown	United States	1432	AC-AS-1US	false
123.122.220.188	unknown	China	4808	CHINA169-BJChinaUnicomBeijingProvinceNetworkCN	false
171.219.208.110	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
44.25.148.226	unknown	United States	63479	HAMWANUS	false
167.113.139.135	unknown	United States	2055	LSU-1US	false
195.104.188.105	unknown	United Kingdom	8437	UTA-ASAT	false
203.125.134.199	unknown	Singapore	9255	CONNECTPLUS-ASSingaporeTelecomSG	false
246.238.233.170	unknown	Reserved	unknown	unknown	false
2.227.70.25	unknown	Italy	12874	FASTWEBIT	false
27.185.59.55	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
23.82.106.101	unknown	United States	15003	NOBIS-TECHUS	false
255.145.102.246	unknown	Reserved	unknown	unknown	false
70.30.247.34	unknown	Canada	577	BACOMCA	false
17.243.187.78	unknown	United States	714	APPLE-ENGINEERINGUS	false
105.150.165.56	unknown	Morocco	6713	IAM-ASMA	false
4.108.122.175	unknown	United States	3356	LEVEL3US	false
86.186.121.58	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	false
149.134.125.106	unknown	Belgium	137	ASGARRConsortiumGARREU	false
38.81.126.131	unknown	United States	22742	CT-EDU-NETUS	false
1.206.2.195	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
19.111.105.77	unknown	United States	3	MIT-GATEWAYSUS	false
27.214.161.154	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
209.21.92.209	unknown	United States	4965	AMERUS	false
36.184.46.4	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
2.153.134.156	unknown	Spain	12357	COMUNITELSPAINES	false
157.124.15.220	unknown	Finland	1738	OKOBANK-ASEU	false
177.25.67.243	unknown	Brazil	26599	TELEFONICABRASILSABR	false
160.240.28.119	unknown	Japan	11259	ANGOLATELECOMAO	false
97.95.115.29	unknown	United States	20115	CHARTER-20115US	false
36.17.156.161	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
153.224.15.50	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
159.47.76.226	unknown	United States	25019	SAUDINETSTC-ASSA	false
149.92.222.11	unknown	United States	174	COGENT-174US	false
183.55.130.56	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
186.113.231.59	unknown	Colombia	3816	COLOMBIATELECOMUNICACIONESSAESPCO	false
190.124.135.26	unknown	Argentina	28015	MERCOCOMUNICACIONESAR	false
219.93.199.32	unknown	Malaysia	4788	TMNET-AS-APTMNetInternetServiceProviderMY	false
213.51.243.83	unknown	Netherlands	33915	TNF-ASNL	false
253.90.162.142	unknown	Reserved	unknown	unknown	false
168.215.50.177	unknown	United States	10753	LVLT-10753US	false
86.138.188.94	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	false
171.119.45.227	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
220.42.223.49	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
244.3.44.78	unknown	Reserved	unknown	unknown	false
111.252.250.102	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
75.207.220.233	unknown	United States	22394	CELLCOUS	false
78.115.208.204	unknown	France	8228	CEGETEL-ASFR	false
208.141.122.111	unknown	United States	3561	CENTURYLINK-LEGACY-SAVVISUS	false
27.67.23.1	unknown	Viet Nam	7552	VIETEL-AS-APViettelGroupVN	false
2.58.237.116	unknown	Netherlands	47829	TELINDUSBV-ASNL	false
209.238.137.147	unknown	United States	2914	NTT-COMMUNICATIONS-2914US	false
4.223.21.141	unknown	United States	3356	LEVEL3US	false
90.209.130.88	unknown	United Kingdom	5607	BSKYB-BROADBAND-ASGB	false
199.3.75.179	unknown	United States	1239	SPRINTLINKUS	false
222.49.53.116	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
79.171.185.102	unknown	Czech Republic	43895	ZENTIVA-NETCZ	false
177.38.177.10	unknown	Brazil	52971	MICKSTELECOMEIRELIBR	false
105.69.125.167	unknown	Morocco	36884	MAROCCONNECTMA	false
223.58.255.34	unknown	Korea Republic of	9644	SKTELECOM-NET-ASSKTelecomKR	false
142.72.37.179	unknown	Canada	5769	VIDEOTRONCA	false
102.187.214.3	unknown	Egypt	24835	RAYA-ASEG	false
240.133.219.93	unknown	Reserved	unknown	unknown	false
89.87.195.142	unknown	France	5410	BOUYGTEL-ISPFR	false
136.46.33.110	unknown	United States	16591	GOOGLE-FIBERUS	false
244.128.218.41	unknown	Reserved	unknown	unknown	false
169.106.137.22	unknown	United States	37611	AfrihostZA	false
254.123.59.154	unknown	Reserved	unknown	unknown	false
125.73.206.208	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
146.3.52.165	unknown	Luxembourg	200139	STATENS-VEGVESENNO	false
209.67.241.170	unknown	United States	26254	568721-017489901135-1US	false
209.148.121.224	unknown	United States	7065	SONOMAUS	false
4.226.238.82	unknown	United States	3356	LEVEL3US	false
165.112.68.14	unknown	United States	3527	NIH-NETUS	false
97.202.183.182	unknown	United States	6167	CELLCO-PARTUS	false
146.125.98.63	unknown	United States	3260	INTRACOMGR	false
107.245.3.121	unknown	United States	7018	ATT-INTERNET4US	false
241.52.133.129	unknown	Reserved	unknown	unknown	false
169.247.53.223	unknown	United States	557	UMAINE-SYS-ASUS	false
197.248.19.130	unknown	Kenya	37061	SafaricomKE	false
101.127.49.33	unknown	Singapore	55430	STARHUB-NGNBNStarhubLtdSG	false
187.189.24.246	unknown	Mexico	22884	TOTALPLAYTELECOMUNICACIONESSADECVMX	false
66.157.27.184	unknown	United States	6389	BELLSOUTH-NET-BLKUS	false

Runtime Messages

Command:	/tmp/phantom.arm7
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	Connected To CNC
Standard Error:

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

/var/cache/motd-news Download File
Process:	/usr/bin/cut
File Type:	ASCII text
Category:	dropped
Size (bytes):	191
Entropy (8bit):	4.515771857099866
Encrypted:	false
SSDEEP:	3:P2lnI+5MsqqzNLz+FRNScHUBfRau95++sZzR5woLB1Fh0VTGTl/X5kURn:OZ8uNLzDc0pR75+9Zz/woFmIT52URn
MD5:	DD514F892B5F93ED615D366E58AC58AF
SHA1:	BA75EDB3C2232CC260BC187F604DC8F25AA72C11
SHA-256:	F40D0DCE6E83DF74109FEF5E68E51CC255727783EEAE04C3E34677E23F7552CF
SHA-512:	9150BDE63F6C4850C5340D8877892B4D9BBF9EBDC98CDCF557A93FA304C1222CEE446418F5BE2ACCDBF38393778AFA5D4F3EDCB37A47BF57D3A4B2DEAD42A2D0
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	* Super-optimized for small spaces - read how we shrank the memory. footprint of MicroK8s to make it the smallest full K8s around... https://ubuntu.com/blog/microk8s-memory-optimisation.

/var/lib/logrotate/status.tmp Download File
Process:	/usr/sbin/logrotate
File Type:	ASCII text
Category:	dropped
Size (bytes):	1612
Entropy (8bit):	4.779549674633493
Encrypted:	false
SSDEEP:	48:UJYqJFN1r0pMK5Npq4pNaJNcsXNU3N6NA5l5xJtNq4wNZNDNU1LN3o9NBqJNCNqQ:grgTm4p0xe3MmxA4wTteJY+nCA5eC9kR
MD5:	77F126A1B1A352F8547E79A4D6BEAA07
SHA1:	B1A8C0E486540E4528057DE02A28EA65864894AF
SHA-256:	8C9089C17D1891CE563A56F87D7D09B3941CBA06E997C3A721A8C28A1224C19B
SHA-512:	31037BDFEDDCE2BE292E482ECB80F93E6D2F64D563FEB3F7D468A3B5588F917DCC2924A61FC8B5B8E80A94877CAE27B353703ED96051D71621631CE079D4B5BE
Malicious:	false
Reputation:	low
Preview:	logrotate state -- version 2."/var/log/syslog" 2022-1-15-0:30:6."/var/log/dpkg.log" 2022-1-14-23:29:42."/var/log/speech-dispatcher/debug-flite" 2021-8-20-13:0:0."/var/log/unattended-upgrades/unattended-upgrades.log" 2022-1-14-23:29:42."/var/log/unattended-upgrades/unattended-upgrades-shutdown.log" 2021-9-17-9:23:29."/var/log/auth.log" 2022-1-14-23:29:42."/var/log/apt/term.log" 2022-1-14-23:29:42."/var/log/ppp-connect-errors" 2021-8-20-13:0:0."/var/log/apport.log" 2021-9-17-9:23:29."/var/log/speech-dispatcher/speech-dispatcher-protocol.log" 2021-8-20-13:0:0."/var/log/apt/history.log" 2022-1-14-23:29:42."/var/log/boot.log" 2021-8-20-13:0:0."/var/log/alternatives.log" 2021-9-17-9:23:29."/var/log/lightdm/*.log" 2021-8-20-13:0:0."/var/log/mail.log" 2021-8-20-13:0:0."/var/log/debug" 2021-8-20-13:0:0."/var/log/kern.log" 2022-1-14-23:29:42."/var/log/cups/access_log" 2022-1-15-0:30:6."/var/log/ufw.log" 2021-8-20-13:0:0."/var/log/speech-dispatcher/speech-dispatcher.log" 2021-8-20-13:0:0."/var/lo

/var/log/cups/access_log.1.gz Download File
Process:	/bin/gzip
File Type:	gzip compressed data, last modified: Fri Jan 14 23:29:42 2022, from Unix
Category:	dropped
Size (bytes):	195
Entropy (8bit):	6.94046313417369
Encrypted:	false
SSDEEP:	3:FtcqERmn7s++hMxAyX1MVde9REM42rz2kAxKoixV0nFJTERnuQW7SiXfnBOM19h/:X5oF1TIEMgRnqVSSBaB1Tn/
MD5:	2DB96E5983CEA71B45E370A07336E9A2
SHA1:	F48DCE7CA8494E28310CF6597DFE633BB710BF4F
SHA-256:	F7A1D3A166E51EABC3E0F7432419A9AE9B9D1CCC9D0A2A6309E5FC22BD68850A
SHA-512:	006E034E859408115C26CE0F317B26E4E2B058FE41D120FA994EE60F5806B9D8E723AF86E2C58DC7E4AE02573DB68044E8D3C0907D80BAE017B4DF2506EC865A
Malicious:	false
Reputation:	low
Preview:	....f..a......0.....a5...5te1...f...HlzI[._.....9...........#.L.Q.T"W..a+.. )/U..Nu]r......f9..4..w.............M..`..6v.'..5^...x..T..^&$HL.h.6....x..T..f$m;."3.g."kip.ue...%..3.e....

/var/log/syslog.1.gz Download File
Process:	/bin/gzip
File Type:	gzip compressed data, last modified: Fri Jan 14 23:29:42 2022, from Unix
Category:	dropped
Size (bytes):	2961
Entropy (8bit):	7.929270943584188
Encrypted:	false
SSDEEP:	48:Xd7UUomMM4Vtn/Bvc8HLlsnSbXFFKGUE1XtRRSEUE5mp5tMWdwJB4CTC8:xUUgJVtnnlsnSrFFKGUExR7h5mdpdEBv
MD5:	7EC4669E4CBC24AE7E04B1BA9F9F1D12
SHA1:	72F458CF48A3AE031FCB91CC5AC766355534B622
SHA-256:	6CFB84FD76A2FEC63E98511F5BC335E2F44D7BD3A2E62224752ECE301BD31C02
SHA-512:	31DAC026EAE1590B5614AE9E0B048D20E06279059FBB62DB513E0490F8FACC05BFEFAE9D15D470E052DDC9567AF302F9EC0B2D27514C273DB675685B679A335F
Malicious:	false
Reputation:	low
Preview:	....f..a...\is...._...'...-R3.L....g.(.n..x ..X..C..._......R..~.!..{_ ....Gf8.....)N1..F...)...t.d.P..D.qA...o...o....C-0l..SCwz..C..:..N.P....A.7...r#b..}E..1G..zI....G...+.......,..Iq.Dd.Fe.....P.8Oh.g$F.+ ..&IJ...\|.s..QJ0=.#o%..E......1&..W.~...j..5..O.4.G8..-.......ScRH>..`.1..y\|...H.B..'E&...R...'...d....BS.ND4K..eD`..h.QLk..`...9M..yo. i.e.1...o.....`.w8.m.p. SBI.E.Mf.L).%..........^.04......y... r..-_...d...CH.\|h.._........;.......x..t&....j..$o.@.k5..`./.1cb.......p7..1. .......i.@..4....F.Z.....b..,..`:.$Nx..{..,...H..X..+..<....x.%..v.d..)....-....[.&1........'.$......e4...X..Z.H..~....O\.I.......3&.(.,.G...."..0pC.D.{A.K$..8......nz.{...z.e.fd;.K.@w]..C....M...>.".....F......}.r......L.Y....nO.x.'.................?Yy....?...8.xs.......[.......~~./.?of.A.V...M...1... .h...q......Z..`..A...]<..o.8...#k..G 3...e.S6.<k."L).h.d...4..E.s.o...8....0.@{...[.._..L]....9...9...+....,.I....'.<.i.x.!."...1..9...g..7H. .A5\|...." .D^$T 6....

Static File Info

General
File type:	ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, stripped
Entropy (8bit):	7.976754133349613
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	phantom.arm7
File size:	48680
MD5:	694e279c1a0cbc31db51aa3f1ee49b3e
SHA1:	d4fd45382263f89824d73cc136f8dcd21bab20a0
SHA256:	a75929884ae4782e41a878045f161f6cb2aaac641481db6060dde22bdc412761
SHA512:	8a1fcddf0717b387ee8b8ea14bdeae6732cecd73dc9eabc31013fcf9c37fa23292d8b80144add206e23c84b6950d59a91bcf60dbb390cd2eb1719790622a3dca
SSDEEP:	768:hK7y1XGOZ3ypqTm1l2Juo7DlB+WtGE+a9kDTX9k9q3UEL4WgKYpugMye73hpq7pD:p12OpypqTm1l2Juo7JIWYE+jDL9NLZ0v
File Content Preview:	.ELF..............(.........4...........4. ...(......................................... b.. b.. b..................Q.td...............................OUPX!........~...~.......h..........?.E.h;....#..$...o...j=....(.M("....pW.1KF...._.5...o6.J2..n..g_....

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - Linux
ABI Version:	0
Entry Point Address:	0xf198
Flags:	0x4000002
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align
LOAD	0x0	0x8000	0x8000	0x8385	0x8385	4.0453	0x5	R E	0x8000
LOAD	0x6220	0x26220	0x26220	0x0	0x0	0.0000	0x6	RW	0x8000
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2022 00:30:19.637794018 CET	54994	1312	192.168.2.23	95.213.159.92
Jan 15, 2022 00:30:19.644948006 CET	24451	23	192.168.2.23	153.139.230.252
Jan 15, 2022 00:30:19.644953966 CET	24451	23	192.168.2.23	123.221.151.252
Jan 15, 2022 00:30:19.644964933 CET	24451	23	192.168.2.23	105.250.1.51
Jan 15, 2022 00:30:19.645107031 CET	24451	23	192.168.2.23	80.182.149.14
Jan 15, 2022 00:30:19.645109892 CET	24451	23	192.168.2.23	69.63.235.244
Jan 15, 2022 00:30:19.645123959 CET	24451	23	192.168.2.23	202.38.222.54
Jan 15, 2022 00:30:19.645128965 CET	24451	23	192.168.2.23	39.108.85.54
Jan 15, 2022 00:30:19.645136118 CET	24451	23	192.168.2.23	170.230.146.167
Jan 15, 2022 00:30:19.645143032 CET	24451	23	192.168.2.23	45.195.54.176
Jan 15, 2022 00:30:19.645145893 CET	24451	23	192.168.2.23	66.78.43.66
Jan 15, 2022 00:30:19.645170927 CET	24451	23	192.168.2.23	169.101.252.215
Jan 15, 2022 00:30:19.645185947 CET	24451	23	192.168.2.23	166.18.223.23
Jan 15, 2022 00:30:19.645193100 CET	24451	23	192.168.2.23	38.7.151.164
Jan 15, 2022 00:30:19.645209074 CET	24451	23	192.168.2.23	39.11.214.28
Jan 15, 2022 00:30:19.645225048 CET	24451	23	192.168.2.23	186.216.131.79
Jan 15, 2022 00:30:19.645232916 CET	24451	23	192.168.2.23	5.109.28.108
Jan 15, 2022 00:30:19.645236015 CET	24451	23	192.168.2.23	189.47.96.242
Jan 15, 2022 00:30:19.645245075 CET	24451	23	192.168.2.23	118.105.139.155
Jan 15, 2022 00:30:19.645253897 CET	24451	23	192.168.2.23	141.175.204.222
Jan 15, 2022 00:30:19.645262003 CET	24451	23	192.168.2.23	173.165.57.26
Jan 15, 2022 00:30:19.645394087 CET	24451	23	192.168.2.23	4.32.226.137
Jan 15, 2022 00:30:19.645452976 CET	24451	23	192.168.2.23	247.110.6.246
Jan 15, 2022 00:30:19.645498991 CET	24451	23	192.168.2.23	204.152.235.229
Jan 15, 2022 00:30:19.645601988 CET	24451	23	192.168.2.23	164.203.30.88
Jan 15, 2022 00:30:19.645620108 CET	24451	23	192.168.2.23	83.232.165.61
Jan 15, 2022 00:30:19.645632982 CET	24451	23	192.168.2.23	126.133.134.80
Jan 15, 2022 00:30:19.645659924 CET	24451	23	192.168.2.23	40.50.99.115
Jan 15, 2022 00:30:19.645836115 CET	24451	23	192.168.2.23	135.124.37.229
Jan 15, 2022 00:30:19.645843983 CET	24451	23	192.168.2.23	173.38.214.85
Jan 15, 2022 00:30:19.645848036 CET	24451	23	192.168.2.23	118.202.116.127
Jan 15, 2022 00:30:19.645903111 CET	24451	23	192.168.2.23	155.121.127.209
Jan 15, 2022 00:30:19.645962954 CET	24451	23	192.168.2.23	27.159.217.186
Jan 15, 2022 00:30:19.645977020 CET	24451	23	192.168.2.23	212.173.94.145
Jan 15, 2022 00:30:19.645982027 CET	24451	23	192.168.2.23	255.23.93.99
Jan 15, 2022 00:30:19.646106005 CET	24451	23	192.168.2.23	71.248.61.114
Jan 15, 2022 00:30:19.646112919 CET	24451	23	192.168.2.23	241.187.223.176
Jan 15, 2022 00:30:19.646121025 CET	24451	23	192.168.2.23	62.112.195.220
Jan 15, 2022 00:30:19.646126986 CET	24451	23	192.168.2.23	151.101.222.80
Jan 15, 2022 00:30:19.646130085 CET	24451	23	192.168.2.23	243.183.36.115
Jan 15, 2022 00:30:19.646133900 CET	24451	23	192.168.2.23	210.196.30.239
Jan 15, 2022 00:30:19.646156073 CET	24451	23	192.168.2.23	247.5.12.197
Jan 15, 2022 00:30:19.646168947 CET	24451	23	192.168.2.23	251.12.93.44
Jan 15, 2022 00:30:19.646171093 CET	24451	23	192.168.2.23	159.56.97.232
Jan 15, 2022 00:30:19.646182060 CET	24451	23	192.168.2.23	62.93.197.98
Jan 15, 2022 00:30:19.646189928 CET	24451	23	192.168.2.23	252.148.241.146
Jan 15, 2022 00:30:19.646219015 CET	24451	23	192.168.2.23	124.53.34.8
Jan 15, 2022 00:30:19.646233082 CET	24451	23	192.168.2.23	164.125.64.26
Jan 15, 2022 00:30:19.646234989 CET	24451	23	192.168.2.23	58.206.8.139
Jan 15, 2022 00:30:19.646260977 CET	24451	23	192.168.2.23	173.175.106.184
Jan 15, 2022 00:30:19.646267891 CET	24451	23	192.168.2.23	16.220.22.35
Jan 15, 2022 00:30:19.646274090 CET	24451	23	192.168.2.23	92.176.58.157
Jan 15, 2022 00:30:19.646297932 CET	24451	23	192.168.2.23	59.54.55.243
Jan 15, 2022 00:30:19.646315098 CET	24451	23	192.168.2.23	186.207.22.10
Jan 15, 2022 00:30:19.646348000 CET	24451	23	192.168.2.23	180.143.56.108
Jan 15, 2022 00:30:19.646425962 CET	24451	23	192.168.2.23	23.189.140.166
Jan 15, 2022 00:30:19.646459103 CET	24451	23	192.168.2.23	249.154.58.174
Jan 15, 2022 00:30:19.646487951 CET	24451	23	192.168.2.23	91.39.60.202
Jan 15, 2022 00:30:19.646502018 CET	24451	23	192.168.2.23	126.233.163.99
Jan 15, 2022 00:30:19.646701097 CET	24451	23	192.168.2.23	81.252.125.243
Jan 15, 2022 00:30:19.646723032 CET	24451	23	192.168.2.23	53.15.123.42
Jan 15, 2022 00:30:19.646745920 CET	24451	23	192.168.2.23	102.183.48.241
Jan 15, 2022 00:30:19.646774054 CET	24451	23	192.168.2.23	154.1.125.191
Jan 15, 2022 00:30:19.646804094 CET	24451	23	192.168.2.23	158.86.73.188
Jan 15, 2022 00:30:19.646821022 CET	24451	23	192.168.2.23	17.119.175.203
Jan 15, 2022 00:30:19.646835089 CET	24451	23	192.168.2.23	17.133.115.71
Jan 15, 2022 00:30:19.649573088 CET	24451	23	192.168.2.23	34.55.156.6
Jan 15, 2022 00:30:19.649655104 CET	24451	23	192.168.2.23	242.86.91.191
Jan 15, 2022 00:30:19.649683952 CET	24451	23	192.168.2.23	42.94.161.241
Jan 15, 2022 00:30:19.649704933 CET	24451	23	192.168.2.23	219.127.220.6
Jan 15, 2022 00:30:19.649725914 CET	24451	23	192.168.2.23	60.114.5.83
Jan 15, 2022 00:30:19.649784088 CET	24451	23	192.168.2.23	114.218.119.33
Jan 15, 2022 00:30:19.649822950 CET	24451	23	192.168.2.23	2.90.180.111
Jan 15, 2022 00:30:19.649841070 CET	24451	23	192.168.2.23	16.142.211.73
Jan 15, 2022 00:30:19.649857044 CET	24451	23	192.168.2.23	161.2.23.9
Jan 15, 2022 00:30:19.649977922 CET	24451	23	192.168.2.23	85.81.204.141
Jan 15, 2022 00:30:19.649993896 CET	24451	23	192.168.2.23	217.112.96.51
Jan 15, 2022 00:30:19.650022984 CET	24451	23	192.168.2.23	142.71.179.50
Jan 15, 2022 00:30:19.650033951 CET	24451	23	192.168.2.23	188.254.222.87
Jan 15, 2022 00:30:19.650185108 CET	24451	23	192.168.2.23	172.143.101.254
Jan 15, 2022 00:30:19.650194883 CET	24451	23	192.168.2.23	65.82.199.7
Jan 15, 2022 00:30:19.650322914 CET	24451	23	192.168.2.23	240.74.96.99
Jan 15, 2022 00:30:19.650361061 CET	24451	23	192.168.2.23	75.226.136.149
Jan 15, 2022 00:30:19.650388002 CET	24451	23	192.168.2.23	58.225.9.109
Jan 15, 2022 00:30:19.650428057 CET	24451	23	192.168.2.23	189.169.80.10
Jan 15, 2022 00:30:19.650461912 CET	24451	23	192.168.2.23	223.87.76.41
Jan 15, 2022 00:30:19.650540113 CET	24451	23	192.168.2.23	126.128.248.34
Jan 15, 2022 00:30:19.650563002 CET	24451	23	192.168.2.23	251.57.254.144
Jan 15, 2022 00:30:19.650585890 CET	24451	23	192.168.2.23	32.225.212.28
Jan 15, 2022 00:30:19.650599957 CET	24451	23	192.168.2.23	173.158.206.191
Jan 15, 2022 00:30:19.650638103 CET	24451	23	192.168.2.23	37.147.146.82
Jan 15, 2022 00:30:19.650660038 CET	24451	23	192.168.2.23	243.44.150.216
Jan 15, 2022 00:30:19.650686979 CET	24451	23	192.168.2.23	146.88.216.149
Jan 15, 2022 00:30:19.650722027 CET	24451	23	192.168.2.23	192.248.123.182
Jan 15, 2022 00:30:19.650759935 CET	24451	23	192.168.2.23	249.167.202.29
Jan 15, 2022 00:30:19.653675079 CET	24451	23	192.168.2.23	176.205.51.160
Jan 15, 2022 00:30:19.653702021 CET	24451	23	192.168.2.23	86.246.27.247
Jan 15, 2022 00:30:19.653709888 CET	24451	23	192.168.2.23	205.244.206.92
Jan 15, 2022 00:30:19.653729916 CET	24451	23	192.168.2.23	195.14.191.201
Jan 15, 2022 00:30:19.653785944 CET	24451	23	192.168.2.23	2.191.174.247

System Behavior

Analysis Process: systemd PID: 5177 Parent PID: 1

General

Start time:	00:30:06
Start date:	15/01/2022
Path:	/usr/lib/systemd/systemd
Arguments:	n/a
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Analysis Process: logrotate PID: 5177 Parent PID: 1

General

Start time:	00:30:06
Start date:	15/01/2022
Path:	/usr/sbin/logrotate
Arguments:	/usr/sbin/logrotate /etc/logrotate.conf
File size:	84056 bytes
MD5 hash:	ff9f6831debb63e53a31ff8057143af6

Analysis Process: logrotate PID: 5219 Parent PID: 5177

General

Start time:	00:30:06
Start date:	15/01/2022
Path:	/usr/sbin/logrotate
Arguments:	n/a
File size:	84056 bytes
MD5 hash:	ff9f6831debb63e53a31ff8057143af6

Analysis Process: gzip PID: 5219 Parent PID: 5177

General

Start time:	00:30:06
Start date:	15/01/2022
Path:	/bin/gzip
Arguments:	/bin/gzip
File size:	97496 bytes
MD5 hash:	beef4e1f54ec90564d2acd57c0b0c897

Analysis Process: logrotate PID: 5220 Parent PID: 5177

General

Start time:	00:30:06
Start date:	15/01/2022
Path:	/usr/sbin/logrotate
Arguments:	n/a
File size:	84056 bytes
MD5 hash:	ff9f6831debb63e53a31ff8057143af6

Analysis Process: sh PID: 5220 Parent PID: 5177

General

Start time:	00:30:06
Start date:	15/01/2022
Path:	/bin/sh
Arguments:	sh -c "\n\t\tinvoke-rc.d --quiet cups restart > /dev/null\n" logrotate_script "/var/log/cups/*log "
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 5221 Parent PID: 5220

General

Start time:	00:30:06
Start date:	15/01/2022
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: invoke-rc.d PID: 5221 Parent PID: 5220

General

Start time:	00:30:06
Start date:	15/01/2022
Path:	/usr/sbin/invoke-rc.d
Arguments:	invoke-rc.d --quiet cups restart
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: invoke-rc.d PID: 5222 Parent PID: 5221

General

Start time:	00:30:06
Start date:	15/01/2022
Path:	/usr/sbin/invoke-rc.d
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: runlevel PID: 5222 Parent PID: 5221

General

Start time:	00:30:06
Start date:	15/01/2022
Path:	/sbin/runlevel
Arguments:	/sbin/runlevel
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Analysis Process: invoke-rc.d PID: 5223 Parent PID: 5221

General

Start time:	00:30:06
Start date:	15/01/2022
Path:	/usr/sbin/invoke-rc.d
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: systemctl PID: 5223 Parent PID: 5221

General

Start time:	00:30:06
Start date:	15/01/2022
Path:	/usr/bin/systemctl
Arguments:	systemctl --quiet is-enabled cups.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Analysis Process: invoke-rc.d PID: 5224 Parent PID: 5221

General

Start time:	00:30:06
Start date:	15/01/2022
Path:	/usr/sbin/invoke-rc.d
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: ls PID: 5224 Parent PID: 5221

General

Start time:	00:30:06
Start date:	15/01/2022
Path:	/usr/bin/ls
Arguments:	ls /etc/rc[S2345].d/S[0-9][0-9]cups
File size:	142144 bytes
MD5 hash:	e7793f15c2ff7e747b4bc7079f5cd4f7

Analysis Process: invoke-rc.d PID: 5225 Parent PID: 5221

General

Start time:	00:30:06
Start date:	15/01/2022
Path:	/usr/sbin/invoke-rc.d
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: systemctl PID: 5225 Parent PID: 5221

General

Start time:	00:30:06
Start date:	15/01/2022
Path:	/usr/bin/systemctl
Arguments:	systemctl --quiet is-active cups.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Analysis Process: logrotate PID: 5226 Parent PID: 5177

General

Start time:	00:30:06
Start date:	15/01/2022
Path:	/usr/sbin/logrotate
Arguments:	n/a
File size:	84056 bytes
MD5 hash:	ff9f6831debb63e53a31ff8057143af6

Analysis Process: gzip PID: 5226 Parent PID: 5177

General

Start time:	00:30:06
Start date:	15/01/2022
Path:	/bin/gzip
Arguments:	/bin/gzip
File size:	97496 bytes
MD5 hash:	beef4e1f54ec90564d2acd57c0b0c897

Analysis Process: logrotate PID: 5227 Parent PID: 5177

General

Start time:	00:30:06
Start date:	15/01/2022
Path:	/usr/sbin/logrotate
Arguments:	n/a
File size:	84056 bytes
MD5 hash:	ff9f6831debb63e53a31ff8057143af6

Analysis Process: sh PID: 5227 Parent PID: 5177

General

Start time:	00:30:06
Start date:	15/01/2022
Path:	/bin/sh
Arguments:	sh -c /usr/lib/rsyslog/rsyslog-rotate logrotate_script /var/log/syslog
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 5229 Parent PID: 5227

General

Start time:	00:30:06
Start date:	15/01/2022
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: rsyslog-rotate PID: 5229 Parent PID: 5227

General

Start time:	00:30:06
Start date:	15/01/2022
Path:	/usr/lib/rsyslog/rsyslog-rotate
Arguments:	/usr/lib/rsyslog/rsyslog-rotate
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: rsyslog-rotate PID: 5230 Parent PID: 5229

General

Start time:	00:30:06
Start date:	15/01/2022
Path:	/usr/lib/rsyslog/rsyslog-rotate
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: systemctl PID: 5230 Parent PID: 5229

General

Start time:	00:30:06
Start date:	15/01/2022
Path:	/usr/bin/systemctl
Arguments:	systemctl kill -s HUP rsyslog.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Analysis Process: dash PID: 5239 Parent PID: 4332

General

Start time:	00:30:07
Start date:	15/01/2022
Path:	/usr/bin/dash
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: cat PID: 5239 Parent PID: 4332

General

Start time:	00:30:07
Start date:	15/01/2022
Path:	/usr/bin/cat
Arguments:	cat /tmp/tmp.Qx6sCqhUAx
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Analysis Process: dash PID: 5240 Parent PID: 4332

General

Start time:	00:30:07
Start date:	15/01/2022
Path:	/usr/bin/dash
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: head PID: 5240 Parent PID: 4332

General

Start time:	00:30:07
Start date:	15/01/2022
Path:	/usr/bin/head
Arguments:	head -n 10
File size:	47480 bytes
MD5 hash:	fd96a67145172477dd57131396fc9608

Analysis Process: dash PID: 5241 Parent PID: 4332

General

Start time:	00:30:07
Start date:	15/01/2022
Path:	/usr/bin/dash
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: tr PID: 5241 Parent PID: 4332

General

Start time:	00:30:07
Start date:	15/01/2022
Path:	/usr/bin/tr
Arguments:	tr -d \\000-\\011\\013\\014\\016-\\037
File size:	51544 bytes
MD5 hash:	fbd1402dd9f72d8ebfff00ce7c3a7bb5

Analysis Process: dash PID: 5242 Parent PID: 4332

General

Start time:	00:30:07
Start date:	15/01/2022
Path:	/usr/bin/dash
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: cut PID: 5242 Parent PID: 4332

General

Start time:	00:30:07
Start date:	15/01/2022
Path:	/usr/bin/cut
Arguments:	cut -c -80
File size:	47480 bytes
MD5 hash:	d8ed0ea8f22c0de0f8692d4d9f1759d3

Analysis Process: dash PID: 5243 Parent PID: 4332

General

Start time:	00:30:08
Start date:	15/01/2022
Path:	/usr/bin/dash
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: cat PID: 5243 Parent PID: 4332

General

Start time:	00:30:08
Start date:	15/01/2022
Path:	/usr/bin/cat
Arguments:	cat /tmp/tmp.Qx6sCqhUAx
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Analysis Process: dash PID: 5244 Parent PID: 4332

General

Start time:	00:30:08
Start date:	15/01/2022
Path:	/usr/bin/dash
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: head PID: 5244 Parent PID: 4332

General

Start time:	00:30:08
Start date:	15/01/2022
Path:	/usr/bin/head
Arguments:	head -n 10
File size:	47480 bytes
MD5 hash:	fd96a67145172477dd57131396fc9608

Analysis Process: dash PID: 5245 Parent PID: 4332

General

Start time:	00:30:08
Start date:	15/01/2022
Path:	/usr/bin/dash
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: tr PID: 5245 Parent PID: 4332

General

Start time:	00:30:08
Start date:	15/01/2022
Path:	/usr/bin/tr
Arguments:	tr -d \\000-\\011\\013\\014\\016-\\037
File size:	51544 bytes
MD5 hash:	fbd1402dd9f72d8ebfff00ce7c3a7bb5

Analysis Process: dash PID: 5246 Parent PID: 4332

General

Start time:	00:30:08
Start date:	15/01/2022
Path:	/usr/bin/dash
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: cut PID: 5246 Parent PID: 4332

General

Start time:	00:30:08
Start date:	15/01/2022
Path:	/usr/bin/cut
Arguments:	cut -c -80
File size:	47480 bytes
MD5 hash:	d8ed0ea8f22c0de0f8692d4d9f1759d3

Analysis Process: dash PID: 5247 Parent PID: 4332

General

Start time:	00:30:08
Start date:	15/01/2022
Path:	/usr/bin/dash
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: rm PID: 5247 Parent PID: 4332

General

Start time:	00:30:08
Start date:	15/01/2022
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.Qx6sCqhUAx /tmp/tmp.ChPykC47j2 /tmp/tmp.PTIO2VlqDw
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Analysis Process: phantom.arm7 PID: 5282 Parent PID: 5108

General

Start time:	00:30:18
Start date:	15/01/2022
Path:	/tmp/phantom.arm7
Arguments:	/tmp/phantom.arm7
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: phantom.arm7 PID: 5284 Parent PID: 5282

General

Start time:	00:30:19
Start date:	15/01/2022
Path:	/tmp/phantom.arm7
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: phantom.arm7 PID: 5384 Parent PID: 5284

General

Start time:	00:33:09
Start date:	15/01/2022
Path:	/tmp/phantom.arm7
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: phantom.arm7 PID: 5385 Parent PID: 5284

General

Start time:	00:33:09
Start date:	15/01/2022
Path:	/tmp/phantom.arm7
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: phantom.arm7 PID: 5388 Parent PID: 5385

General

Start time:	00:33:09
Start date:	15/01/2022
Path:	/tmp/phantom.arm7
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: phantom.arm7 PID: 5397 Parent PID: 5388

General

Start time:	00:33:14
Start date:	15/01/2022
Path:	/tmp/phantom.arm7
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: phantom.arm7 PID: 5398 Parent PID: 5388

General

Start time:	00:33:14
Start date:	15/01/2022
Path:	/tmp/phantom.arm7
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: phantom.arm7 PID: 5389 Parent PID: 5385

General

Start time:	00:33:09
Start date:	15/01/2022
Path:	/tmp/phantom.arm7
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: phantom.arm7 PID: 5392 Parent PID: 5385

General

Start time:	00:33:09
Start date:	15/01/2022
Path:	/tmp/phantom.arm7
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: phantom.arm7 PID: 5285 Parent PID: 5282

General

Start time:	00:30:19
Start date:	15/01/2022
Path:	/tmp/phantom.arm7
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: phantom.arm7 PID: 5287 Parent PID: 5282

General

Start time:	00:30:19
Start date:	15/01/2022
Path:	/tmp/phantom.arm7
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: phantom.arm7 PID: 5290 Parent PID: 5287

General

Start time:	00:30:19
Start date:	15/01/2022
Path:	/tmp/phantom.arm7
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: phantom.arm7 PID: 5380 Parent PID: 5290

General

Start time:	00:33:09
Start date:	15/01/2022
Path:	/tmp/phantom.arm7
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: phantom.arm7 PID: 5382 Parent PID: 5290

General

Start time:	00:33:09
Start date:	15/01/2022
Path:	/tmp/phantom.arm7
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: phantom.arm7 PID: 5291 Parent PID: 5287

General

Start time:	00:30:19
Start date:	15/01/2022
Path:	/tmp/phantom.arm7
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: phantom.arm7 PID: 5294 Parent PID: 5287

General

Start time:	00:30:19
Start date:	15/01/2022
Path:	/tmp/phantom.arm7
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. Locations and format of logs are platform or product-specific, however standard operating system logs are captured as Windows events or Linux/macOS files such as Bash History and /var/log/*.
Tactics:	Defense Evasion
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Linux Analysis Report phantom.arm7

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Process Tree

Yara Overview

Initial Sample

PCAP (Network Traffic)

Jbx Signature Overview

AV Detection:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Runtime Messages

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: systemd PID: 5177 Parent PID: 1

General

Analysis Process: logrotate PID: 5177 Parent PID: 1

General

Analysis Process: logrotate PID: 5219 Parent PID: 5177

General

Analysis Process: gzip PID: 5219 Parent PID: 5177

General

Analysis Process: logrotate PID: 5220 Parent PID: 5177

General

Analysis Process: sh PID: 5220 Parent PID: 5177

General

Analysis Process: sh PID: 5221 Parent PID: 5220

General

Analysis Process: invoke-rc.d PID: 5221 Parent PID: 5220

General

Analysis Process: invoke-rc.d PID: 5222 Parent PID: 5221

General

Analysis Process: runlevel PID: 5222 Parent PID: 5221

General

Analysis Process: invoke-rc.d PID: 5223 Parent PID: 5221