Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Linux Analysis Report fVA3Q44QAK

Overview

General Information

Sample Name:fVA3Q44QAK
Analysis ID:553483
MD5:cd6521521289846e8001d5f05cf0e10d
SHA1:ecb03ba794a579a02ad8e0ef94b29ebed527a155
SHA256:00a6f460395d2f545eba81ead528fcf2883582412affb7b052e7fef3478361c0
Tags:32elfintelmirai
Infos:

Detection

Mirai
Score:72
Range:0 - 100
Whitelisted:false

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Mirai
Multi AV Scanner detection for submitted file
Sample is packed with UPX
Uses known network protocols on non-standard ports
Sample contains only a LOAD segment without any section mappings
Enumerates processes within the "proc" file system
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Detected TCP or UDP traffic on non-standard ports
Executes the "rm" command used to delete files or directories
Sample tries to kill a process (SIGKILL)

Classification

Analysis Advice

All HTTP servers contacted by the sample do not answer. Likely the sample is an old dropper which does no longer work

General Information

Joe Sandbox Version:34.0.0 Boulder Opal
Analysis ID:553483
Start date:15.01.2022
Start time:01:01:50
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 25s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:fVA3Q44QAK
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Detection:MAL
Classification:mal72.troj.evad.lin@0/0@0/0
Warnings:
Show All
  • Report size exceeded maximum capacity and may have missing network information.
  • TCP Packets have been reduced to 100

Process Tree

  • system is lnxubuntu20
  • dash New Fork (PID: 5264, Parent: 4331)
  • rm (PID: 5264, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.FZJy5QRkED /tmp/tmp.Cx4p8ienxO /tmp/tmp.ayYQw5P6KC
  • cleanup

Yara Overview

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Mirai_12Yara detected MiraiJoe Security

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: fVA3Q44QAKVirustotal: Detection: 36%Perma Link
    Source: fVA3Q44QAKReversingLabs: Detection: 51%

    Networking:

    barindex
    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
    Source: TrafficSnort IDS: 716 INFO TELNET access 41.57.43.2:23 -> 192.168.2.23:52626
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 41.57.43.2:23 -> 192.168.2.23:52626
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 41.57.43.2:23 -> 192.168.2.23:52626
    Source: TrafficSnort IDS: 716 INFO TELNET access 41.57.43.2:23 -> 192.168.2.23:52648
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 41.57.43.2:23 -> 192.168.2.23:52648
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 41.57.43.2:23 -> 192.168.2.23:52648
    Source: TrafficSnort IDS: 716 INFO TELNET access 177.7.221.41:23 -> 192.168.2.23:59270
    Source: TrafficSnort IDS: 2023433 ET TROJAN Possible Linux.Mirai Login Attempt (7ujMko0admin) 192.168.2.23:59270 -> 177.7.221.41:23
    Source: TrafficSnort IDS: 716 INFO TELNET access 41.57.43.2:23 -> 192.168.2.23:52658
    Source: TrafficSnort IDS: 716 INFO TELNET access 177.7.221.41:23 -> 192.168.2.23:59276
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 41.57.43.2:23 -> 192.168.2.23:52658
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 41.57.43.2:23 -> 192.168.2.23:52658
    Source: TrafficSnort IDS: 716 INFO TELNET access 177.7.221.41:23 -> 192.168.2.23:59280
    Source: TrafficSnort IDS: 716 INFO TELNET access 177.7.221.41:23 -> 192.168.2.23:59292
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 178.219.113.60:23 -> 192.168.2.23:41272
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 178.219.113.60:23 -> 192.168.2.23:41272
    Source: TrafficSnort IDS: 716 INFO TELNET access 41.57.43.2:23 -> 192.168.2.23:52684
    Source: TrafficSnort IDS: 716 INFO TELNET access 177.7.221.41:23 -> 192.168.2.23:59346
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 41.57.43.2:23 -> 192.168.2.23:52684
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 41.57.43.2:23 -> 192.168.2.23:52684
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 178.219.113.60:23 -> 192.168.2.23:41390
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 178.219.113.60:23 -> 192.168.2.23:41390
    Source: TrafficSnort IDS: 716 INFO TELNET access 41.57.43.2:23 -> 192.168.2.23:52836
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 223.8.49.214:23 -> 192.168.2.23:34430
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 41.57.43.2:23 -> 192.168.2.23:52836
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 41.57.43.2:23 -> 192.168.2.23:52836
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 178.219.113.60:23 -> 192.168.2.23:41482
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 178.219.113.60:23 -> 192.168.2.23:41482
    Source: TrafficSnort IDS: 716 INFO TELNET access 41.57.43.2:23 -> 192.168.2.23:52978
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 218.75.91.70:23 -> 192.168.2.23:44108
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 41.57.43.2:23 -> 192.168.2.23:52978
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 41.57.43.2:23 -> 192.168.2.23:52978
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 178.219.113.60:23 -> 192.168.2.23:41600
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 178.219.113.60:23 -> 192.168.2.23:41600
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 218.75.91.70:23 -> 192.168.2.23:44198
    Source: TrafficSnort IDS: 716 INFO TELNET access 41.57.43.2:23 -> 192.168.2.23:53088
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 178.219.113.60:23 -> 192.168.2.23:41692
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 178.219.113.60:23 -> 192.168.2.23:41692
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 41.57.43.2:23 -> 192.168.2.23:53088
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 41.57.43.2:23 -> 192.168.2.23:53088
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 218.75.91.70:23 -> 192.168.2.23:44220
    Source: TrafficSnort IDS: 716 INFO TELNET access 41.57.43.2:23 -> 192.168.2.23:53138
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 178.219.113.60:23 -> 192.168.2.23:41734
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 178.219.113.60:23 -> 192.168.2.23:41734
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 41.57.43.2:23 -> 192.168.2.23:53138
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 41.57.43.2:23 -> 192.168.2.23:53138
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 218.75.91.70:23 -> 192.168.2.23:44296
    Source: TrafficSnort IDS: 404 ICMP Destination Unreachable Protocol Unreachable 190.111.231.121: -> 192.168.2.23:
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 178.219.113.60:23 -> 192.168.2.23:41778
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 178.219.113.60:23 -> 192.168.2.23:41778
    Source: TrafficSnort IDS: 716 INFO TELNET access 41.57.43.2:23 -> 192.168.2.23:53190
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 93.49.107.156:23 -> 192.168.2.23:43966
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 93.49.107.156:23 -> 192.168.2.23:43966
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 41.57.43.2:23 -> 192.168.2.23:53190
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 41.57.43.2:23 -> 192.168.2.23:53190
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 218.75.91.70:23 -> 192.168.2.23:44352
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 178.219.113.60:23 -> 192.168.2.23:41830
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 178.219.113.60:23 -> 192.168.2.23:41830
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 93.49.107.156:23 -> 192.168.2.23:44020
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 93.49.107.156:23 -> 192.168.2.23:44020
    Source: TrafficSnort IDS: 716 INFO TELNET access 41.57.43.2:23 -> 192.168.2.23:53284
    Source: TrafficSnort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:41898 -> 178.219.113.60:23
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 41.57.43.2:23 -> 192.168.2.23:53284
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 41.57.43.2:23 -> 192.168.2.23:53284
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 218.75.91.70:23 -> 192.168.2.23:44426
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 178.219.113.60:23 -> 192.168.2.23:41898
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 178.219.113.60:23 -> 192.168.2.23:41898
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 120.198.210.199:23 -> 192.168.2.23:50898
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 93.49.107.156:23 -> 192.168.2.23:44100
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 93.49.107.156:23 -> 192.168.2.23:44100
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 178.219.113.60:23 -> 192.168.2.23:41944
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 178.219.113.60:23 -> 192.168.2.23:41944
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 93.49.107.156:23 -> 192.168.2.23:44132
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 93.49.107.156:23 -> 192.168.2.23:44132
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 218.75.91.70:23 -> 192.168.2.23:44482
    Source: TrafficSnort IDS: 716 INFO TELNET access 27.35.231.182:23 -> 192.168.2.23:34932
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 221.2.193.110:23 -> 192.168.2.23:54124
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 27.35.231.182:23 -> 192.168.2.23:34932
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 27.35.231.182:23 -> 192.168.2.23:34932
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 93.49.107.156:23 -> 192.168.2.23:44180
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 93.49.107.156:23 -> 192.168.2.23:44180
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 221.2.193.110:23 -> 192.168.2.23:54182
    Source: TrafficSnort IDS: 716 INFO TELNET access 27.35.231.182:23 -> 192.168.2.23:35018
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 218.75.91.70:23 -> 192.168.2.23:44568
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 93.49.107.156:23 -> 192.168.2.23:44236
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 93.49.107.156:23 -> 192.168.2.23:44236
    Source: TrafficSnort IDS: 716 INFO TELNET access 41.181.140.130:23 -> 192.168.2.23:57582
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 27.35.231.182:23 -> 192.168.2.23:35018
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 27.35.231.182:23 -> 192.168.2.23:35018
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 218.75.91.70:23 -> 192.168.2.23:44616
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 221.2.193.110:23 -> 192.168.2.23:54230
    Source: TrafficSnort IDS: 716 INFO TELNET access 201.20.102.53:23 -> 192.168.2.23:46814
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 93.49.107.156:23 -> 192.168.2.23:44284
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 93.49.107.156:23 -> 192.168.2.23:44284
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 201.20.102.53:23 -> 192.168.2.23:46814
    Source: TrafficSnort IDS: 716 INFO TELNET access 27.35.231.182:23 -> 192.168.2.23:35082
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 221.2.193.110:23 -> 192.168.2.23:54248
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 218.75.91.70:23 -> 192.168.2.23:44642
    Source: TrafficSnort IDS: 716 INFO TELNET access 201.20.102.53:23 -> 192.168.2.23:46832
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 201.20.102.53:23 -> 192.168.2.23:46832
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 93.49.107.156:23 -> 192.168.2.23:44308
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 93.49.107.156:23 -> 192.168.2.23:44308
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 27.35.231.182:23 -> 192.168.2.23:35082
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 27.35.231.182:23 -> 192.168.2.23:35082
    Source: TrafficSnort IDS: 716 INFO TELNET access 201.20.102.53:23 -> 192.168.2.23:46876
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 221.2.193.110:23 -> 192.168.2.23:54306
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 201.20.102.53:23 -> 192.168.2.23:46876
    Source: TrafficSnort IDS: 716 INFO TELNET access 189.115.194.129:23 -> 192.168.2.23:57130
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 93.49.107.156:23 -> 192.168.2.23:44362
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 93.49.107.156:23 -> 192.168.2.23:44362
    Source: TrafficSnort IDS: 716 INFO TELNET access 183.236.171.20:23 -> 192.168.2.23:55824
    Source: TrafficSnort IDS: 716 INFO TELNET access 201.20.102.53:23 -> 192.168.2.23:46982
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 189.115.194.129:23 -> 192.168.2.23:57130
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 201.20.102.53:23 -> 192.168.2.23:46982
    Source: TrafficSnort IDS: 716 INFO TELNET access 27.35.231.182:23 -> 192.168.2.23:35228
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 183.236.171.20:23 -> 192.168.2.23:55824
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 183.236.171.20:23 -> 192.168.2.23:55824
    Source: TrafficSnort IDS: 716 INFO TELNET access 189.115.194.129:23 -> 192.168.2.23:57252
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 221.2.193.110:23 -> 192.168.2.23:54484
    Source: TrafficSnort IDS: 716 INFO TELNET access 201.20.102.53:23 -> 192.168.2.23:47096
    Source: TrafficSnort IDS: 716 INFO TELNET access 210.165.140.156:23 -> 192.168.2.23:42788
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 93.49.107.156:23 -> 192.168.2.23:44536
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 93.49.107.156:23 -> 192.168.2.23:44536
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 189.115.194.129:23 -> 192.168.2.23:57252
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 201.20.102.53:23 -> 192.168.2.23:47096
    Source: TrafficSnort IDS: 716 INFO TELNET access 106.240.171.6:23 -> 192.168.2.23:56382
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 189.112.121.182:23 -> 192.168.2.23:44974
    Source: TrafficSnort IDS: 716 INFO TELNET access 183.236.171.20:23 -> 192.168.2.23:56072
    Source: TrafficSnort IDS: 716 INFO TELNET access 189.115.194.129:23 -> 192.168.2.23:57416
    Source: TrafficSnort IDS: 716 INFO TELNET access 201.20.102.53:23 -> 192.168.2.23:47240
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 27.35.231.182:23 -> 192.168.2.23:35228
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 27.35.231.182:23 -> 192.168.2.23:35228
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 201.20.102.53:23 -> 192.168.2.23:47240
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 189.115.194.129:23 -> 192.168.2.23:57416
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 183.236.171.20:23 -> 192.168.2.23:56072
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 183.236.171.20:23 -> 192.168.2.23:56072
    Source: TrafficSnort IDS: 716 INFO TELNET access 60.14.56.69:23 -> 192.168.2.23:57868
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 221.2.193.110:23 -> 192.168.2.23:54710
    Source: TrafficSnort IDS: 716 INFO TELNET access 189.115.194.129:23 -> 192.168.2.23:57480
    Source: TrafficSnort IDS: 716 INFO TELNET access 201.20.102.53:23 -> 192.168.2.23:47298
    Source: TrafficSnort IDS: 716 INFO TELNET access 23.91.241.26:23 -> 192.168.2.23:38630
    Source: TrafficSnort IDS: 716 INFO TELNET access 211.160.177.2:23 -> 192.168.2.23:44084
    Source: TrafficSnort IDS: 716 INFO TELNET access 27.35.231.182:23 -> 192.168.2.23:35580
    Source: TrafficSnort IDS: 716 INFO TELNET access 60.14.56.69:23 -> 192.168.2.23:57874
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 201.20.102.53:23 -> 192.168.2.23:47298
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 23.91.241.26:23 -> 192.168.2.23:38630
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 189.115.194.129:23 -> 192.168.2.23:57480
    Source: TrafficSnort IDS: 716 INFO TELNET access 60.14.56.69:23 -> 192.168.2.23:57948
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 211.160.177.2:23 -> 192.168.2.23:44084
    Source: TrafficSnort IDS: 716 INFO TELNET access 60.14.56.69:23 -> 192.168.2.23:57962
    Source: TrafficSnort IDS: 716 INFO TELNET access 111.163.72.218:23 -> 192.168.2.23:34104
    Source: TrafficSnort IDS: 716 INFO TELNET access 183.236.171.20:23 -> 192.168.2.23:56238
    Source: TrafficSnort IDS: 716 INFO TELNET access 60.14.56.69:23 -> 192.168.2.23:58000
    Source: TrafficSnort IDS: 716 INFO TELNET access 23.91.241.26:23 -> 192.168.2.23:38750
    Source: TrafficSnort IDS: 716 INFO TELNET access 189.115.194.129:23 -> 192.168.2.23:57612
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 27.35.231.182:23 -> 192.168.2.23:35580
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 27.35.231.182:23 -> 192.168.2.23:35580
    Source: TrafficSnort IDS: 716 INFO TELNET access 201.20.102.53:23 -> 192.168.2.23:47428
    Source: TrafficSnort IDS: 716 INFO TELNET access 60.14.56.69:23 -> 192.168.2.23:58024
    Source: TrafficSnort IDS: 716 INFO TELNET access 211.160.177.2:23 -> 192.168.2.23:44208
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 221.2.193.110:23 -> 192.168.2.23:54860
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 23.91.241.26:23 -> 192.168.2.23:38750
    Source: TrafficSnort IDS: 716 INFO TELNET access 60.14.56.69:23 -> 192.168.2.23:58040
    Source: TrafficSnort IDS: 716 INFO TELNET access 111.163.72.218:23 -> 192.168.2.23:34178
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 183.236.171.20:23 -> 192.168.2.23:56238
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 183.236.171.20:23 -> 192.168.2.23:56238
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 201.20.102.53:23 -> 192.168.2.23:47428
    Source: TrafficSnort IDS: 716 INFO TELNET access 60.14.56.69:23 -> 192.168.2.23:58048
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 189.115.194.129:23 -> 192.168.2.23:57612
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 211.160.177.2:23 -> 192.168.2.23:44208
    Source: TrafficSnort IDS: 716 INFO TELNET access 60.14.56.69:23 -> 192.168.2.23:58062
    Source: TrafficSnort IDS: 716 INFO TELNET access 23.91.241.26:23 -> 192.168.2.23:38816
    Source: TrafficSnort IDS: 716 INFO TELNET access 60.14.56.69:23 -> 192.168.2.23:58078
    Source: TrafficSnort IDS: 716 INFO TELNET access 189.115.194.129:23 -> 192.168.2.23:57712
    Source: TrafficSnort IDS: 716 INFO TELNET access 201.20.102.53:23 -> 192.168.2.23:47524
    Source: TrafficSnort IDS: 716 INFO TELNET access 211.160.177.2:23 -> 192.168.2.23:44294
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 23.91.241.26:23 -> 192.168.2.23:38816
    Uses known network protocols on non-standard portsShow sources
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41240
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41248
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41258
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41278
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41288
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41306
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41330
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41334
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41338
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41340
    Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
    Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
    Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
    Source: global trafficTCP traffic: 192.168.2.23:39274 -> 34.249.145.219:443
    Source: global trafficTCP traffic: 192.168.2.23:51422 -> 136.144.41.15:1312
    Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 39274 -> 443
    Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.15
    Source: unknownTCP traffic detected without corresponding DNS query: 86.114.208.209
    Source: unknownTCP traffic detected without corresponding DNS query: 243.174.106.35
    Source: unknownTCP traffic detected without corresponding DNS query: 67.49.248.210
    Source: unknownTCP traffic detected without corresponding DNS query: 16.114.55.95
    Source: unknownTCP traffic detected without corresponding DNS query: 197.22.95.112
    Source: unknownTCP traffic detected without corresponding DNS query: 35.102.24.95
    Source: unknownTCP traffic detected without corresponding DNS query: 126.36.123.32
    Source: unknownTCP traffic detected without corresponding DNS query: 116.151.253.46
    Source: unknownTCP traffic detected without corresponding DNS query: 194.173.176.105
    Source: unknownTCP traffic detected without corresponding DNS query: 130.193.17.243
    Source: unknownTCP traffic detected without corresponding DNS query: 103.222.112.39
    Source: unknownTCP traffic detected without corresponding DNS query: 181.22.75.4
    Source: unknownTCP traffic detected without corresponding DNS query: 124.97.161.209
    Source: unknownTCP traffic detected without corresponding DNS query: 39.108.62.151
    Source: unknownTCP traffic detected without corresponding DNS query: 168.109.209.2
    Source: unknownTCP traffic detected without corresponding DNS query: 75.119.233.6
    Source: unknownTCP traffic detected without corresponding DNS query: 82.61.135.125
    Source: unknownTCP traffic detected without corresponding DNS query: 147.228.81.150
    Source: unknownTCP traffic detected without corresponding DNS query: 193.130.162.15
    Source: unknownTCP traffic detected without corresponding DNS query: 151.221.106.243
    Source: unknownTCP traffic detected without corresponding DNS query: 13.95.76.153
    Source: unknownTCP traffic detected without corresponding DNS query: 243.232.160.119
    Source: unknownTCP traffic detected without corresponding DNS query: 202.25.239.217
    Source: unknownTCP traffic detected without corresponding DNS query: 63.242.170.205
    Source: unknownTCP traffic detected without corresponding DNS query: 58.17.227.90
    Source: unknownTCP traffic detected without corresponding DNS query: 251.104.219.53
    Source: unknownTCP traffic detected without corresponding DNS query: 255.21.84.13
    Source: unknownTCP traffic detected without corresponding DNS query: 9.97.192.97
    Source: unknownTCP traffic detected without corresponding DNS query: 63.127.95.221
    Source: unknownTCP traffic detected without corresponding DNS query: 128.31.239.87
    Source: unknownTCP traffic detected without corresponding DNS query: 194.50.7.65
    Source: unknownTCP traffic detected without corresponding DNS query: 172.155.57.146
    Source: unknownTCP traffic detected without corresponding DNS query: 92.232.14.56
    Source: unknownTCP traffic detected without corresponding DNS query: 119.167.39.218
    Source: unknownTCP traffic detected without corresponding DNS query: 200.237.13.70
    Source: unknownTCP traffic detected without corresponding DNS query: 17.135.153.56
    Source: unknownTCP traffic detected without corresponding DNS query: 155.245.80.45
    Source: unknownTCP traffic detected without corresponding DNS query: 170.170.202.40
    Source: unknownTCP traffic detected without corresponding DNS query: 133.95.172.234
    Source: unknownTCP traffic detected without corresponding DNS query: 75.48.59.107
    Source: unknownTCP traffic detected without corresponding DNS query: 73.39.38.124
    Source: unknownTCP traffic detected without corresponding DNS query: 255.1.109.214
    Source: unknownTCP traffic detected without corresponding DNS query: 123.46.224.16
    Source: unknownTCP traffic detected without corresponding DNS query: 78.140.215.45
    Source: unknownTCP traffic detected without corresponding DNS query: 4.77.72.12
    Source: unknownTCP traffic detected without corresponding DNS query: 23.138.112.226
    Source: unknownTCP traffic detected without corresponding DNS query: 41.66.188.103
    Source: unknownTCP traffic detected without corresponding DNS query: 221.206.147.174
    Source: unknownTCP traffic detected without corresponding DNS query: 61.141.254.232
    Source: fVA3Q44QAKString found in binary or memory: http://upx.sf.net
    Source: LOAD without section mappingsProgram segment: 0xc01000
    Source: /tmp/fVA3Q44QAK (PID: 5219)SIGKILL sent: pid: 936, result: successful
    Source: /tmp/fVA3Q44QAK (PID: 5222)SIGKILL sent: pid: 936, result: successful
    Source: classification engineClassification label: mal72.troj.evad.lin@0/0@0/0

    Data Obfuscation:

    barindex
    Sample is packed with UPXShow sources
    Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
    Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
    Source: initial sampleString containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
    Source: /tmp/fVA3Q44QAK (PID: 5222)File opened: /proc/5222/exe
    Source: /tmp/fVA3Q44QAK (PID: 5222)File opened: /proc/491/fd
    Source: /tmp/fVA3Q44QAK (PID: 5222)File opened: /proc/793/fd
    Source: /tmp/fVA3Q44QAK (PID: 5222)File opened: /proc/772/fd
    Source: /tmp/fVA3Q44QAK (PID: 5222)File opened: /proc/796/fd
    Source: /tmp/fVA3Q44QAK (PID: 5222)File opened: /proc/774/fd
    Source: /tmp/fVA3Q44QAK (PID: 5222)File opened: /proc/797/fd
    Source: /tmp/fVA3Q44QAK (PID: 5222)File opened: /proc/777/fd
    Source: /tmp/fVA3Q44QAK (PID: 5222)File opened: /proc/799/fd
    Source: /tmp/fVA3Q44QAK (PID: 5222)File opened: /proc/658/fd
    Source: /tmp/fVA3Q44QAK (PID: 5222)File opened: /proc/912/fd
    Source: /tmp/fVA3Q44QAK (PID: 5222)File opened: /proc/759/fd
    Source: /tmp/fVA3Q44QAK (PID: 5222)File opened: /proc/936/fd
    Source: /tmp/fVA3Q44QAK (PID: 5222)File opened: /proc/918/fd
    Source: /tmp/fVA3Q44QAK (PID: 5222)File opened: /proc/1/fd
    Source: /tmp/fVA3Q44QAK (PID: 5222)File opened: /proc/761/fd
    Source: /tmp/fVA3Q44QAK (PID: 5222)File opened: /proc/785/fd
    Source: /tmp/fVA3Q44QAK (PID: 5222)File opened: /proc/884/fd
    Source: /tmp/fVA3Q44QAK (PID: 5222)File opened: /proc/720/fd
    Source: /tmp/fVA3Q44QAK (PID: 5222)File opened: /proc/721/fd
    Source: /tmp/fVA3Q44QAK (PID: 5222)File opened: /proc/788/fd
    Source: /tmp/fVA3Q44QAK (PID: 5222)File opened: /proc/789/fd
    Source: /tmp/fVA3Q44QAK (PID: 5222)File opened: /proc/800/fd
    Source: /tmp/fVA3Q44QAK (PID: 5222)File opened: /proc/801/fd
    Source: /tmp/fVA3Q44QAK (PID: 5222)File opened: /proc/847/fd
    Source: /tmp/fVA3Q44QAK (PID: 5222)File opened: /proc/904/fd
    Source: /tmp/fVA3Q44QAK (PID: 5219)File opened: /proc/491/fd
    Source: /tmp/fVA3Q44QAK (PID: 5219)File opened: /proc/793/fd
    Source: /tmp/fVA3Q44QAK (PID: 5219)File opened: /proc/772/fd
    Source: /tmp/fVA3Q44QAK (PID: 5219)File opened: /proc/796/fd
    Source: /tmp/fVA3Q44QAK (PID: 5219)File opened: /proc/774/fd
    Source: /tmp/fVA3Q44QAK (PID: 5219)File opened: /proc/797/fd
    Source: /tmp/fVA3Q44QAK (PID: 5219)File opened: /proc/777/fd
    Source: /tmp/fVA3Q44QAK (PID: 5219)File opened: /proc/799/fd
    Source: /tmp/fVA3Q44QAK (PID: 5219)File opened: /proc/658/fd
    Source: /tmp/fVA3Q44QAK (PID: 5219)File opened: /proc/912/fd
    Source: /tmp/fVA3Q44QAK (PID: 5219)File opened: /proc/759/fd
    Source: /tmp/fVA3Q44QAK (PID: 5219)File opened: /proc/936/fd
    Source: /tmp/fVA3Q44QAK (PID: 5219)File opened: /proc/5219/exe
    Source: /tmp/fVA3Q44QAK (PID: 5219)File opened: /proc/918/fd
    Source: /tmp/fVA3Q44QAK (PID: 5219)File opened: /proc/1/fd
    Source: /tmp/fVA3Q44QAK (PID: 5219)File opened: /proc/761/fd
    Source: /tmp/fVA3Q44QAK (PID: 5219)File opened: /proc/785/fd
    Source: /tmp/fVA3Q44QAK (PID: 5219)File opened: /proc/884/fd
    Source: /tmp/fVA3Q44QAK (PID: 5219)File opened: /proc/720/fd
    Source: /tmp/fVA3Q44QAK (PID: 5219)File opened: /proc/721/fd
    Source: /tmp/fVA3Q44QAK (PID: 5219)File opened: /proc/788/fd
    Source: /tmp/fVA3Q44QAK (PID: 5219)File opened: /proc/789/fd
    Source: /tmp/fVA3Q44QAK (PID: 5219)File opened: /proc/800/fd
    Source: /tmp/fVA3Q44QAK (PID: 5219)File opened: /proc/801/fd
    Source: /tmp/fVA3Q44QAK (PID: 5219)File opened: /proc/847/fd
    Source: /tmp/fVA3Q44QAK (PID: 5219)File opened: /proc/904/fd
    Source: /usr/bin/dash (PID: 5264)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.FZJy5QRkED /tmp/tmp.Cx4p8ienxO /tmp/tmp.ayYQw5P6KC

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Uses known network protocols on non-standard portsShow sources
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41240
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41248
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41258
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41278
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41288
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41306
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41330
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41334
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41338
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41340

    Stealing of Sensitive Information:

    barindex
    Yara detected MiraiShow sources
    Source: Yara matchFile source: dump.pcap, type: PCAP

    Remote Access Functionality:

    barindex
    Yara detected MiraiShow sources
    Source: Yara matchFile source: dump.pcap, type: PCAP

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionObfuscated Files or Information1OS Credential Dumping1System Service DiscoveryRemote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsFile Deletion1LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port11Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

    Malware Configuration

    No configs have been found

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Number of created Files
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 553483 Sample: fVA3Q44QAK Startdate: 15/01/2022 Architecture: LINUX Score: 72 44 216.4.87.55 XO-AS15US United States 2->44 46 66.3.241.117, 23 XO-AS15US United States 2->46 48 98 other IPs or domains 2->48 50 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 Yara detected Mirai 2->54 56 2 other signatures 2->56 10 fVA3Q44QAK 2->10         started        12 dash rm 2->12         started        signatures3 process4 process5 14 fVA3Q44QAK 10->14         started        16 fVA3Q44QAK 10->16         started        18 fVA3Q44QAK 10->18         started        process6 20 fVA3Q44QAK 14->20         started        22 fVA3Q44QAK 14->22         started        24 fVA3Q44QAK 16->24         started        26 fVA3Q44QAK 16->26         started        28 fVA3Q44QAK 16->28         started        process7 30 fVA3Q44QAK 20->30         started        32 fVA3Q44QAK 20->32         started        34 fVA3Q44QAK 20->34         started        36 fVA3Q44QAK 24->36         started        38 fVA3Q44QAK 24->38         started        process8 40 fVA3Q44QAK 30->40         started        42 fVA3Q44QAK 30->42         started       

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    fVA3Q44QAK37%VirustotalBrowse
    fVA3Q44QAK51%ReversingLabsLinux.Trojan.Mirai

    Dropped Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://upx.sf.netfVA3Q44QAKfalse
      		high

      Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public

      IPDomainCountryFlagASNASN NameMalicious
      118.211.239.132
      		unknownAustralia
      		4739INTERNODE-ASInternodePtyLtdAUfalse
      210.106.38.203
      		unknownKorea Republic of
      		17839DREAMPLUS-AS-KRLGHelloVisionCorpKRfalse
      242.236.222.254
      		unknownReserved
      		unknownunknownfalse
      119.222.246.123
      		unknownKorea Republic of
      		4766KIXS-AS-KRKoreaTelecomKRfalse
      118.251.164.218
      		unknownChina
      		4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
      61.125.29.174
      		unknownJapan9595XEPHIONNTT-MECorporationJPfalse
      197.89.97.58
      		unknownSouth Africa
      		10474OPTINETZAfalse
      145.151.15.79
      		unknownNetherlands
      		1103SURFNET-NLSURFnetTheNetherlandsNLfalse
      213.46.86.255
      		unknownNetherlands
      		6830LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHoldingfalse
      147.125.210.77
      		unknownAustria
      		2488IIASA-NETInternationalInstituteforAppliedSystemsAnalysfalse
      32.249.33.88
      		unknownUnited States
      		2686ATGS-MMD-ASUSfalse
      74.136.69.5
      		unknownUnited States
      		10796TWC-10796-MIDWESTUSfalse
      248.169.175.87
      		unknownReserved
      		unknownunknownfalse
      27.197.55.18
      		unknownChina
      		4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNfalse
      213.52.109.228
      		unknownNorway
      		2116ASN-CATCHCOMNOfalse
      156.34.23.163
      		unknownCanada
      		855CANET-ASN-4CAfalse
      122.4.122.86
      		unknownChina
      		4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
      66.3.241.117
      		unknownUnited States
      		2828XO-AS15USfalse
      112.252.196.33
      		unknownChina
      		4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNfalse
      156.49.160.15
      		unknownSweden
      		29975VODACOM-ZAfalse
      89.113.117.183
      		unknownRussian Federation
      		44699STROITELNAYA_INNOVACIARUfalse
      87.196.249.120
      		unknownPortugal
      		2860NOS_COMUNICACOESPTfalse
      192.84.228.183
      		unknownHungary
      		1741FUNETASFIfalse
      32.220.131.221
      		unknownUnited States
      		46690SNET-FCCUSfalse
      1.255.173.186
      		unknownKorea Republic of
      		9318SKB-ASSKBroadbandCoLtdKRfalse
      4.164.140.27
      		unknownUnited States
      		3356LEVEL3USfalse
      36.17.156.115
      		unknownChina
      		4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
      153.15.14.52
      		unknownNorway
      		4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNfalse
      151.208.73.143
      		unknownUnited States
      		11003PANDGUSfalse
      61.191.66.240
      		unknownChina
      		4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
      42.66.128.89
      		unknownTaiwan; Republic of China (ROC)
      		17421EMOME-NETMobileBusinessGroupTWfalse
      206.32.17.122
      		unknownUnited States
      		3356LEVEL3USfalse
      113.82.60.114
      		unknownChina
      		4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
      48.5.47.35
      		unknownUnited States
      		2686ATGS-MMD-ASUSfalse
      122.131.61.127
      		unknownJapan2518BIGLOBEBIGLOBEIncJPfalse
      196.142.51.78
      		unknownEgypt
      		36935Vodafone-EGfalse
      118.143.163.141
      		unknownHong Kong
      		9304HUTCHISON-AS-APHGCGlobalCommunicationsLimitedHKfalse
      45.167.218.35
      		unknownBrazil
      		268009BELINFONETSERVICOSDECOMUNICACAOEMULTIMIDIAEBRfalse
      85.208.2.15
      		unknownFinland
      		209378INIOS-ASFIfalse
      150.210.115.42
      		unknownUnited States
      		31822CITY-UNIVERSITY-OF-NEW-YORKUSfalse
      80.107.7.150
      		unknownGreece
      		6799OTENET-GRAthens-GreeceGRfalse
      253.91.52.203
      		unknownReserved
      		unknownunknownfalse
      168.151.75.250
      		unknownUnited States
      		204472ROYALEASNDEfalse
      142.22.118.16
      		unknownCanada
      		3633PROVINCE-OF-BRITISH-COLUMBIACAfalse
      5.24.72.65
      		unknownTurkey
      		16135TURKCELL-ASTurkcellASTRfalse
      88.16.182.184
      		unknownSpain
      		3352TELEFONICA_DE_ESPANAESfalse
      194.12.251.222
      		unknownBulgaria
      		8262EVOLINK-ASBGfalse
      99.13.97.229
      		unknownUnited States
      		7018ATT-INTERNET4USfalse
      246.175.96.4
      		unknownReserved
      		unknownunknownfalse
      147.75.13.99
      		unknownSwitzerland
      		35914ARMOR-DEFENSEUSfalse
      191.30.36.92
      		unknownBrazil
      		18881TELEFONICABRASILSABRfalse
      65.144.152.0
      		unknownUnited States
      		209CENTURYLINK-US-LEGACY-QWESTUSfalse
      155.200.239.157
      		unknownUnited States
      		8698NationwideBuildingSocietyGBfalse
      247.249.240.163
      		unknownReserved
      		unknownunknownfalse
      167.181.16.213
      		unknownUnited States
      		62481SUNTRUST-BANKUSfalse
      14.116.97.246
      		unknownChina
      		4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
      14.255.164.60
      		unknownViet Nam
      		45899VNPT-AS-VNVNPTCorpVNfalse
      153.85.227.119
      		unknownUnited States
      		14962NCR-252USfalse
      241.197.46.115
      		unknownReserved
      		unknownunknownfalse
      253.193.91.235
      		unknownReserved
      		unknownunknownfalse
      208.27.147.39
      		unknownUnited States
      		36837ASN-TELETRACUSfalse
      81.137.109.241
      		unknownUnited Kingdom
      		2856BT-UK-ASBTnetUKRegionalnetworkGBfalse
      37.195.118.225
      		unknownRussian Federation
      		31200NTKIPv6customersRUfalse
      181.24.7.243
      		unknownArgentina
      		22927TelefonicadeArgentinaARfalse
      181.21.8.118
      		unknownArgentina
      		22927TelefonicadeArgentinaARfalse
      108.132.57.207
      		unknownUnited States
      		16509AMAZON-02USfalse
      149.131.43.106
      		unknownUnited States
      		33022WELLESLEY-COLLEGEUSfalse
      67.29.230.68
      		unknownUnited States
      		202818LEVEL3COMMUNICATIONSFRfalse
      96.178.243.163
      		unknownUnited States
      		7922COMCAST-7922USfalse
      250.124.165.154
      		unknownReserved
      		unknownunknownfalse
      107.204.213.78
      		unknownUnited States
      		7018ATT-INTERNET4USfalse
      158.178.211.100
      		unknownUnited Kingdom
      		15830EQUINIX-CONNECT-EMEAGBfalse
      216.4.87.55
      		unknownUnited States
      		2828XO-AS15USfalse
      18.243.215.229
      		unknownUnited States
      		16509AMAZON-02USfalse
      12.239.5.98
      		unknownUnited States
      		7018ATT-INTERNET4USfalse
      194.216.31.188
      		unknownUnited Kingdom
      		702UUNETUSfalse
      116.96.79.11
      		unknownViet Nam
      		7552VIETEL-AS-APViettelGroupVNfalse
      74.192.181.152
      		unknownUnited States
      		19108SUDDENLINK-COMMUNICATIONSUSfalse
      2.149.14.35
      		unknownNorway
      		2119TELENOR-NEXTELTelenorNorgeASNOfalse
      105.120.247.64
      		unknownNigeria
      		36873VNL1-ASNGfalse
      194.64.149.47
      		unknownGermany
      		4589EASYNETEasynetGlobalServicesEUfalse
      146.88.159.180
      		unknownMalaysia
      		133847ICT-AS-APAnppleTechEnterpriseMYfalse
      4.143.53.39
      		unknownUnited States
      		3356LEVEL3USfalse
      167.212.83.51
      		unknownUnited States
      		33166BFS-49-33166USfalse
      208.78.192.218
      		unknownUnited States
      		11763IBX-CHICAGOUSfalse
      85.219.218.240
      		unknownPoland
      		205738MARMITEPLfalse
      177.56.151.219
      		unknownBrazil
      		22085ClaroSABRfalse
      102.228.74.21
      		unknownunknown
      		36926CKL1-ASNKEfalse
      81.102.118.139
      		unknownUnited Kingdom
      		5089NTLGBfalse
      197.252.128.132
      		unknownSudan
      		15706SudatelSDfalse
      60.186.225.153
      		unknownChina
      		4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
      184.7.217.32
      		unknownUnited States
      		209CENTURYLINK-US-LEGACY-QWESTUSfalse
      169.132.160.131
      		unknownUnited States
      		7270NET2PHONEUSfalse
      42.164.86.69
      		unknownChina
      		4249LILLY-ASUSfalse
      63.57.227.252
      		unknownUnited States
      		701UUNETUSfalse
      196.240.143.25
      		unknownSeychelles
      		37518FIBERGRIDSCfalse
      124.66.201.250
      		unknownJapan18281TAC-NETTokonameNew-TVCorporationJPfalse
      205.221.42.4
      		unknownUnited States
      		6122ICN-ASUSfalse
      126.54.223.48
      		unknownJapan17676GIGAINFRASoftbankBBCorpJPfalse
      57.166.240.145
      		unknownBelgium
      		2686ATGS-MMD-ASUSfalse


      Runtime Messages

      Command:/tmp/fVA3Q44QAK
      Exit Code:0
      Exit Code Info:
      Killed:False
      Standard Output:
      Connected To CNC
      Standard Error:

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASN

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      No created / dropped files found

      Static File Info

      General

      File type:ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
      Entropy (8bit):7.87055577615585
      TrID:
      • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
      • ELF Executable and Linkable format (generic) (4004/1) 49.84%
      File name:fVA3Q44QAK
      File size:24728
      MD5:cd6521521289846e8001d5f05cf0e10d
      SHA1:ecb03ba794a579a02ad8e0ef94b29ebed527a155
      SHA256:00a6f460395d2f545eba81ead528fcf2883582412affb7b052e7fef3478361c0
      SHA512:f454f474a2de88b0923adf988d07d94c0e352b444bfb94fbadc0a0cf842faef5daa1e9c651274c24c979e12f369ce138e6cb48d38eb133093704f06f79b3b320
      SSDEEP:768:i/QOC0Yhn6RODyF94cwNEFCnNBml1YHtfzbcN:i/nihnuFHwTNBuktcN
      File Content Preview:.ELF.....................g..4...........4. ...(......................_..._...................W...W..................Q.td...............................tUPX!....................Z........?d..ELF.......d.......4.,..4. (.......k.-.#.`...........?..P......d..l

      Static ELF Info

      ELF header

      Class:ELF32
      Data:2's complement, little endian
      Version:1 (current)
      Machine:Intel 80386
      Version Number:0x1
      Type:EXEC (Executable file)
      OS/ABI:UNIX - Linux
      ABI Version:0
      Entry Point Address:0xc067a0
      Flags:0x0
      ELF Header Size:52
      Program Header Offset:52
      Program Header Size:32
      Number of Program Headers:3
      Section Header Offset:0
      Section Header Size:40
      Number of Section Headers:0
      Header String Table Index:0

      Program Segments

      TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
      LOAD0x00xc010000xc010000x5f9b0x5f9b4.55850x5R E0x1000
      LOAD0x7000x80557000x80557000x00x00.00000x6RW 0x1000
      GNU_STACK0x00x00x00x00x00.00000x6RW 0x4

      Network Behavior

      Network Port Distribution

      TCP Packets

      TimestampSource PortDest PortSource IPDest IP
      Jan 15, 2022 01:02:31.614181042 CET514221312192.168.2.23136.144.41.15
      Jan 15, 2022 01:02:31.614451885 CET388623192.168.2.2386.114.208.209
      Jan 15, 2022 01:02:31.614471912 CET388623192.168.2.23243.174.106.35
      Jan 15, 2022 01:02:31.614500999 CET388623192.168.2.2367.49.248.210
      Jan 15, 2022 01:02:31.614500999 CET388623192.168.2.2316.114.55.95
      Jan 15, 2022 01:02:31.614516973 CET388623192.168.2.23197.22.95.112
      Jan 15, 2022 01:02:31.614518881 CET388623192.168.2.2335.102.24.95
      Jan 15, 2022 01:02:31.614538908 CET388623192.168.2.23126.36.123.32
      Jan 15, 2022 01:02:31.614545107 CET388623192.168.2.23116.151.253.46
      Jan 15, 2022 01:02:31.614547014 CET388623192.168.2.23194.173.176.105
      Jan 15, 2022 01:02:31.614561081 CET388623192.168.2.23130.193.17.243
      Jan 15, 2022 01:02:31.614569902 CET388623192.168.2.23103.222.112.39
      Jan 15, 2022 01:02:31.614573956 CET388623192.168.2.23181.22.75.4
      Jan 15, 2022 01:02:31.614577055 CET388623192.168.2.23124.97.161.209
      Jan 15, 2022 01:02:31.614588022 CET388623192.168.2.2339.108.62.151
      Jan 15, 2022 01:02:31.614588976 CET388623192.168.2.23168.109.209.2
      Jan 15, 2022 01:02:31.614593983 CET388623192.168.2.2375.119.233.6
      Jan 15, 2022 01:02:31.614597082 CET388623192.168.2.2382.61.135.125
      Jan 15, 2022 01:02:31.614597082 CET388623192.168.2.23147.228.81.150
      Jan 15, 2022 01:02:31.614610910 CET388623192.168.2.23193.130.162.15
      Jan 15, 2022 01:02:31.614614964 CET388623192.168.2.23151.221.106.243
      Jan 15, 2022 01:02:31.614620924 CET388623192.168.2.2313.95.76.153
      Jan 15, 2022 01:02:31.614625931 CET388623192.168.2.23243.232.160.119
      Jan 15, 2022 01:02:31.614631891 CET388623192.168.2.23202.25.239.217
      Jan 15, 2022 01:02:31.614634037 CET388623192.168.2.2363.242.170.205
      Jan 15, 2022 01:02:31.614638090 CET388623192.168.2.2358.17.227.90
      Jan 15, 2022 01:02:31.614645958 CET388623192.168.2.23251.104.219.53
      Jan 15, 2022 01:02:31.614648104 CET388623192.168.2.23255.21.84.13
      Jan 15, 2022 01:02:31.614655018 CET388623192.168.2.239.97.192.97
      Jan 15, 2022 01:02:31.614655972 CET388623192.168.2.2363.127.95.221
      Jan 15, 2022 01:02:31.614661932 CET388623192.168.2.23128.31.239.87
      Jan 15, 2022 01:02:31.614665985 CET388623192.168.2.23194.50.7.65
      Jan 15, 2022 01:02:31.614671946 CET388623192.168.2.23172.155.57.146
      Jan 15, 2022 01:02:31.614677906 CET388623192.168.2.2392.232.14.56
      Jan 15, 2022 01:02:31.614684105 CET388623192.168.2.23119.167.39.218
      Jan 15, 2022 01:02:31.614686012 CET388623192.168.2.23200.237.13.70
      Jan 15, 2022 01:02:31.614691019 CET388623192.168.2.2317.135.153.56
      Jan 15, 2022 01:02:31.614694118 CET388623192.168.2.23155.245.80.45
      Jan 15, 2022 01:02:31.614695072 CET388623192.168.2.23170.170.202.40
      Jan 15, 2022 01:02:31.614700079 CET388623192.168.2.23133.95.172.234
      Jan 15, 2022 01:02:31.614701033 CET388623192.168.2.2375.48.59.107
      Jan 15, 2022 01:02:31.614703894 CET388623192.168.2.2373.39.38.124
      Jan 15, 2022 01:02:31.614706039 CET388623192.168.2.23255.1.109.214
      Jan 15, 2022 01:02:31.614716053 CET388623192.168.2.23123.46.224.16
      Jan 15, 2022 01:02:31.614720106 CET388623192.168.2.2378.140.215.45
      Jan 15, 2022 01:02:31.614725113 CET388623192.168.2.234.77.72.12
      Jan 15, 2022 01:02:31.614727974 CET388623192.168.2.2323.138.112.226
      Jan 15, 2022 01:02:31.614731073 CET388623192.168.2.2341.66.188.103
      Jan 15, 2022 01:02:31.614739895 CET388623192.168.2.23221.206.147.174
      Jan 15, 2022 01:02:31.614748955 CET388623192.168.2.2361.141.254.232
      Jan 15, 2022 01:02:31.614756107 CET388623192.168.2.2346.101.166.218
      Jan 15, 2022 01:02:31.614783049 CET388623192.168.2.2338.82.173.166
      Jan 15, 2022 01:02:31.614784002 CET388623192.168.2.23122.122.193.47
      Jan 15, 2022 01:02:31.614789963 CET388623192.168.2.23242.191.110.178
      Jan 15, 2022 01:02:31.614793062 CET388623192.168.2.23252.191.214.230
      Jan 15, 2022 01:02:31.614793062 CET388623192.168.2.23140.204.52.216
      Jan 15, 2022 01:02:31.614797115 CET388623192.168.2.23200.191.224.30
      Jan 15, 2022 01:02:31.614804029 CET388623192.168.2.23124.55.3.157
      Jan 15, 2022 01:02:31.614809990 CET388623192.168.2.2359.1.125.73
      Jan 15, 2022 01:02:31.614810944 CET388623192.168.2.2365.214.254.122
      Jan 15, 2022 01:02:31.614816904 CET388623192.168.2.2362.97.196.178
      Jan 15, 2022 01:02:31.614820004 CET388623192.168.2.2340.54.255.228
      Jan 15, 2022 01:02:31.614824057 CET388623192.168.2.23115.150.231.122
      Jan 15, 2022 01:02:31.614828110 CET388623192.168.2.23240.195.202.231
      Jan 15, 2022 01:02:31.614834070 CET388623192.168.2.23153.225.24.76
      Jan 15, 2022 01:02:31.614835978 CET388623192.168.2.2345.117.143.148
      Jan 15, 2022 01:02:31.614845037 CET388623192.168.2.23241.147.130.230
      Jan 15, 2022 01:02:31.614845037 CET388623192.168.2.23162.98.145.166
      Jan 15, 2022 01:02:31.614846945 CET388623192.168.2.23252.167.52.152
      Jan 15, 2022 01:02:31.614854097 CET388623192.168.2.2371.181.30.186
      Jan 15, 2022 01:02:31.614855051 CET388623192.168.2.2372.246.122.69
      Jan 15, 2022 01:02:31.614856005 CET388623192.168.2.23208.211.148.36
      Jan 15, 2022 01:02:31.614857912 CET388623192.168.2.23221.12.70.220
      Jan 15, 2022 01:02:31.614860058 CET388623192.168.2.23107.235.46.82
      Jan 15, 2022 01:02:31.614865065 CET388623192.168.2.23176.54.248.33
      Jan 15, 2022 01:02:31.614866972 CET388623192.168.2.23114.126.194.251
      Jan 15, 2022 01:02:31.614871025 CET388623192.168.2.2373.162.137.30
      Jan 15, 2022 01:02:31.614872932 CET388623192.168.2.23254.215.86.99
      Jan 15, 2022 01:02:31.614880085 CET388623192.168.2.2345.128.62.54
      Jan 15, 2022 01:02:31.614882946 CET388623192.168.2.23248.226.16.59
      Jan 15, 2022 01:02:31.614891052 CET388623192.168.2.23118.244.241.111
      Jan 15, 2022 01:02:31.614898920 CET388623192.168.2.2345.199.69.23
      Jan 15, 2022 01:02:31.614906073 CET388623192.168.2.23210.216.123.136
      Jan 15, 2022 01:02:31.614919901 CET388623192.168.2.2362.3.105.70
      Jan 15, 2022 01:02:31.614928007 CET388623192.168.2.23157.198.63.148
      Jan 15, 2022 01:02:31.614948034 CET388623192.168.2.23136.38.178.119
      Jan 15, 2022 01:02:31.614948034 CET388623192.168.2.23163.152.122.232
      Jan 15, 2022 01:02:31.614950895 CET388623192.168.2.23163.237.145.2
      Jan 15, 2022 01:02:31.614950895 CET388623192.168.2.2399.33.196.187
      Jan 15, 2022 01:02:31.614953041 CET388623192.168.2.2364.2.140.102
      Jan 15, 2022 01:02:31.614953995 CET388623192.168.2.23243.40.35.127
      Jan 15, 2022 01:02:31.614953995 CET388623192.168.2.2383.155.147.35
      Jan 15, 2022 01:02:31.614955902 CET388623192.168.2.2378.82.182.101
      Jan 15, 2022 01:02:31.614959955 CET388623192.168.2.2327.125.45.221
      Jan 15, 2022 01:02:31.614963055 CET388623192.168.2.23156.218.110.212
      Jan 15, 2022 01:02:31.614964962 CET388623192.168.2.23159.109.7.188
      Jan 15, 2022 01:02:31.614967108 CET388623192.168.2.23189.187.102.212
      Jan 15, 2022 01:02:31.614965916 CET388623192.168.2.23209.131.252.31
      Jan 15, 2022 01:02:31.614969015 CET388623192.168.2.2344.250.64.94
      Jan 15, 2022 01:02:31.614974976 CET388623192.168.2.2359.170.249.49

      System Behavior

      Analysis Process: fVA3Q44QAK PID: 5218 Parent PID: 5108

      General

      Start time:01:02:31
      Start date:15/01/2022
      Path:/tmp/fVA3Q44QAK
      Arguments:/tmp/fVA3Q44QAK
      File size:24728 bytes
      MD5 hash:cd6521521289846e8001d5f05cf0e10d

      Analysis Process: fVA3Q44QAK PID: 5219 Parent PID: 5218

      General

      Start time:01:02:31
      Start date:15/01/2022
      Path:/tmp/fVA3Q44QAK
      Arguments:n/a
      File size:24728 bytes
      MD5 hash:cd6521521289846e8001d5f05cf0e10d

      Analysis Process: fVA3Q44QAK PID: 5326 Parent PID: 5219

      General

      Start time:01:05:21
      Start date:15/01/2022
      Path:/tmp/fVA3Q44QAK
      Arguments:n/a
      File size:24728 bytes
      MD5 hash:cd6521521289846e8001d5f05cf0e10d

      Analysis Process: fVA3Q44QAK PID: 5328 Parent PID: 5219

      General

      Start time:01:05:21
      Start date:15/01/2022
      Path:/tmp/fVA3Q44QAK
      Arguments:n/a
      File size:24728 bytes
      MD5 hash:cd6521521289846e8001d5f05cf0e10d

      Analysis Process: fVA3Q44QAK PID: 5329 Parent PID: 5328

      General

      Start time:01:05:21
      Start date:15/01/2022
      Path:/tmp/fVA3Q44QAK
      Arguments:n/a
      File size:24728 bytes
      MD5 hash:cd6521521289846e8001d5f05cf0e10d

      Analysis Process: fVA3Q44QAK PID: 5335 Parent PID: 5329

      General

      Start time:01:05:26
      Start date:15/01/2022
      Path:/tmp/fVA3Q44QAK
      Arguments:n/a
      File size:24728 bytes
      MD5 hash:cd6521521289846e8001d5f05cf0e10d

      Analysis Process: fVA3Q44QAK PID: 5336 Parent PID: 5329

      General

      Start time:01:05:26
      Start date:15/01/2022
      Path:/tmp/fVA3Q44QAK
      Arguments:n/a
      File size:24728 bytes
      MD5 hash:cd6521521289846e8001d5f05cf0e10d

      Analysis Process: fVA3Q44QAK PID: 5330 Parent PID: 5328

      General

      Start time:01:05:21
      Start date:15/01/2022
      Path:/tmp/fVA3Q44QAK
      Arguments:n/a
      File size:24728 bytes
      MD5 hash:cd6521521289846e8001d5f05cf0e10d

      Analysis Process: fVA3Q44QAK PID: 5331 Parent PID: 5328

      General

      Start time:01:05:21
      Start date:15/01/2022
      Path:/tmp/fVA3Q44QAK
      Arguments:n/a
      File size:24728 bytes
      MD5 hash:cd6521521289846e8001d5f05cf0e10d

      Analysis Process: fVA3Q44QAK PID: 5220 Parent PID: 5218

      General

      Start time:01:02:31
      Start date:15/01/2022
      Path:/tmp/fVA3Q44QAK
      Arguments:n/a
      File size:24728 bytes
      MD5 hash:cd6521521289846e8001d5f05cf0e10d

      Analysis Process: fVA3Q44QAK PID: 5221 Parent PID: 5218

      General

      Start time:01:02:31
      Start date:15/01/2022
      Path:/tmp/fVA3Q44QAK
      Arguments:n/a
      File size:24728 bytes
      MD5 hash:cd6521521289846e8001d5f05cf0e10d

      Analysis Process: fVA3Q44QAK PID: 5222 Parent PID: 5221

      General

      Start time:01:02:31
      Start date:15/01/2022
      Path:/tmp/fVA3Q44QAK
      Arguments:n/a
      File size:24728 bytes
      MD5 hash:cd6521521289846e8001d5f05cf0e10d

      Analysis Process: fVA3Q44QAK PID: 5325 Parent PID: 5222

      General

      Start time:01:05:21
      Start date:15/01/2022
      Path:/tmp/fVA3Q44QAK
      Arguments:n/a
      File size:24728 bytes
      MD5 hash:cd6521521289846e8001d5f05cf0e10d

      Analysis Process: fVA3Q44QAK PID: 5327 Parent PID: 5222

      General

      Start time:01:05:21
      Start date:15/01/2022
      Path:/tmp/fVA3Q44QAK
      Arguments:n/a
      File size:24728 bytes
      MD5 hash:cd6521521289846e8001d5f05cf0e10d

      Analysis Process: fVA3Q44QAK PID: 5223 Parent PID: 5221

      General

      Start time:01:02:31
      Start date:15/01/2022
      Path:/tmp/fVA3Q44QAK
      Arguments:n/a
      File size:24728 bytes
      MD5 hash:cd6521521289846e8001d5f05cf0e10d

      Analysis Process: fVA3Q44QAK PID: 5224 Parent PID: 5221

      General

      Start time:01:02:31
      Start date:15/01/2022
      Path:/tmp/fVA3Q44QAK
      Arguments:n/a
      File size:24728 bytes
      MD5 hash:cd6521521289846e8001d5f05cf0e10d

      Analysis Process: dash PID: 5264 Parent PID: 4331

      General

      Start time:01:03:56
      Start date:15/01/2022
      Path:/usr/bin/dash
      Arguments:n/a
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      Analysis Process: rm PID: 5264 Parent PID: 4331

      General

      Start time:01:03:56
      Start date:15/01/2022
      Path:/usr/bin/rm
      Arguments:rm -f /tmp/tmp.FZJy5QRkED /tmp/tmp.Cx4p8ienxO /tmp/tmp.ayYQw5P6KC
      File size:72056 bytes
      MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b