Loading ...

Play interactive tourEdit tour

Linux Analysis Report 52lN2HSY7O

Overview

General Information

Sample Name:52lN2HSY7O
Analysis ID:553492
MD5:e0db3c63694e83c4ea4187a6fd40c9d2
SHA1:d04a564f43e9ed664478443199b196d6cb191580
SHA256:da6d168edfc190ef5f7a8ae9ad40de97ea559989c3f7421af1c9a0909522dbf4
Tags:32elfmiraimotorola
Infos:

Detection

Mirai
Score:68
Range:0 - 100
Whitelisted:false

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Mirai
Multi AV Scanner detection for submitted file
Uses known network protocols on non-standard ports
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Detected TCP or UDP traffic on non-standard ports
Executes the "rm" command used to delete files or directories
Sample listens on a socket
Sample tries to kill a process (SIGKILL)

Classification

Analysis Advice

All HTTP servers contacted by the sample do not answer. Likely the sample is an old dropper which does no longer work
Static ELF header machine description suggests that the sample might not execute correctly on this machine

General Information

Joe Sandbox Version:34.0.0 Boulder Opal
Analysis ID:553492
Start date:15.01.2022
Start time:01:33:11
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 34s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:52lN2HSY7O
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Detection:MAL
Classification:mal68.troj.lin@0/1@0/0
Warnings:
Show All
  • Report size exceeded maximum capacity and may have missing network information.
  • TCP Packets have been reduced to 100

Process Tree

  • system is lnxubuntu20
  • dash New Fork (PID: 5186, Parent: 4331)
  • cat (PID: 5186, Parent: 4331, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /tmp/tmp.JmXH35JStJ
  • dash New Fork (PID: 5187, Parent: 4331)
  • head (PID: 5187, Parent: 4331, MD5: fd96a67145172477dd57131396fc9608) Arguments: head -n 10
  • dash New Fork (PID: 5188, Parent: 4331)
  • tr (PID: 5188, Parent: 4331, MD5: fbd1402dd9f72d8ebfff00ce7c3a7bb5) Arguments: tr -d \\000-\\011\\013\\014\\016-\\037
  • dash New Fork (PID: 5189, Parent: 4331)
  • cut (PID: 5189, Parent: 4331, MD5: d8ed0ea8f22c0de0f8692d4d9f1759d3) Arguments: cut -c -80
  • dash New Fork (PID: 5190, Parent: 4331)
  • cat (PID: 5190, Parent: 4331, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /tmp/tmp.JmXH35JStJ
  • dash New Fork (PID: 5191, Parent: 4331)
  • head (PID: 5191, Parent: 4331, MD5: fd96a67145172477dd57131396fc9608) Arguments: head -n 10
  • dash New Fork (PID: 5192, Parent: 4331)
  • tr (PID: 5192, Parent: 4331, MD5: fbd1402dd9f72d8ebfff00ce7c3a7bb5) Arguments: tr -d \\000-\\011\\013\\014\\016-\\037
  • dash New Fork (PID: 5193, Parent: 4331)
  • cut (PID: 5193, Parent: 4331, MD5: d8ed0ea8f22c0de0f8692d4d9f1759d3) Arguments: cut -c -80
  • dash New Fork (PID: 5194, Parent: 4331)
  • rm (PID: 5194, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.JmXH35JStJ /tmp/tmp.AdZnWFxIG7 /tmp/tmp.Bef8J1nfzZ
  • cleanup

Yara Overview

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Mirai_12Yara detected MiraiJoe Security

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: 52lN2HSY7OVirustotal: Detection: 55%Perma Link
    Source: 52lN2HSY7OReversingLabs: Detection: 62%

    Networking:

    barindex
    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 85.175.217.161:23 -> 192.168.2.23:57604
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 85.175.217.161:23 -> 192.168.2.23:57616
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 85.175.217.161:23 -> 192.168.2.23:57634
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 85.175.217.161:23 -> 192.168.2.23:57638
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 85.175.217.161:23 -> 192.168.2.23:57642
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 85.175.217.161:23 -> 192.168.2.23:57646
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 85.175.217.161:23 -> 192.168.2.23:57652
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 85.175.217.161:23 -> 192.168.2.23:57658
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 85.175.217.161:23 -> 192.168.2.23:57662
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 85.175.217.161:23 -> 192.168.2.23:57668
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 221.238.165.150:23 -> 192.168.2.23:53576
    Source: TrafficSnort IDS: 716 INFO TELNET access 201.158.35.70:23 -> 192.168.2.23:56276
    Source: TrafficSnort IDS: 716 INFO TELNET access 166.140.137.60:23 -> 192.168.2.23:56718
    Source: TrafficSnort IDS: 716 INFO TELNET access 188.190.101.172:23 -> 192.168.2.23:41962
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 120.199.27.22:23 -> 192.168.2.23:35216
    Source: TrafficSnort IDS: 716 INFO TELNET access 201.158.35.70:23 -> 192.168.2.23:56440
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 120.199.27.22:23 -> 192.168.2.23:35240
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 123.174.127.152:23 -> 192.168.2.23:44742
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 218.76.20.170:23 -> 192.168.2.23:49324
    Source: TrafficSnort IDS: 716 INFO TELNET access 188.190.101.172:23 -> 192.168.2.23:42106
    Source: TrafficSnort IDS: 716 INFO TELNET access 166.140.137.60:23 -> 192.168.2.23:56866
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 120.199.27.22:23 -> 192.168.2.23:35274
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 218.76.20.170:23 -> 192.168.2.23:49368
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 83.221.206.253:23 -> 192.168.2.23:39260
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 120.199.27.22:23 -> 192.168.2.23:35354
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 218.76.20.170:23 -> 192.168.2.23:49476
    Source: TrafficSnort IDS: 716 INFO TELNET access 201.158.35.70:23 -> 192.168.2.23:56628
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 120.199.27.22:23 -> 192.168.2.23:35436
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 218.76.20.170:23 -> 192.168.2.23:49536
    Source: TrafficSnort IDS: 716 INFO TELNET access 188.190.101.172:23 -> 192.168.2.23:42322
    Source: TrafficSnort IDS: 716 INFO TELNET access 166.140.137.60:23 -> 192.168.2.23:57088
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 120.199.27.22:23 -> 192.168.2.23:35484
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 218.76.20.170:23 -> 192.168.2.23:49562
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 120.199.27.22:23 -> 192.168.2.23:35532
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 218.76.20.170:23 -> 192.168.2.23:49632
    Source: TrafficSnort IDS: 716 INFO TELNET access 201.158.35.70:23 -> 192.168.2.23:56782
    Source: TrafficSnort IDS: 716 INFO TELNET access 1.218.117.174:23 -> 192.168.2.23:46416
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 125.117.143.234:23 -> 192.168.2.23:52834
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 125.117.143.234:23 -> 192.168.2.23:52834
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 120.199.27.22:23 -> 192.168.2.23:35614
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 123.25.35.103:23 -> 192.168.2.23:34854
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 123.25.35.103:23 -> 192.168.2.23:34854
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 218.76.20.170:23 -> 192.168.2.23:49700
    Source: TrafficSnort IDS: 716 INFO TELNET access 2.187.187.80:23 -> 192.168.2.23:58690
    Source: TrafficSnort IDS: 716 INFO TELNET access 166.140.137.60:23 -> 192.168.2.23:57260
    Source: TrafficSnort IDS: 716 INFO TELNET access 2.187.187.80:23 -> 192.168.2.23:58720
    Source: TrafficSnort IDS: 716 INFO TELNET access 200.88.134.147:23 -> 192.168.2.23:41730
    Source: TrafficSnort IDS: 716 INFO TELNET access 2.187.187.80:23 -> 192.168.2.23:58750
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 120.199.27.22:23 -> 192.168.2.23:35690
    Source: TrafficSnort IDS: 716 INFO TELNET access 2.187.187.80:23 -> 192.168.2.23:58770
    Source: TrafficSnort IDS: 716 INFO TELNET access 200.88.134.147:23 -> 192.168.2.23:41760
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 218.76.20.170:23 -> 192.168.2.23:49804
    Source: TrafficSnort IDS: 716 INFO TELNET access 2.187.187.80:23 -> 192.168.2.23:58790
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 178.87.101.219:23 -> 192.168.2.23:50744
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 178.87.101.219:23 -> 192.168.2.23:50744
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 125.117.143.234:23 -> 192.168.2.23:52940
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 125.117.143.234:23 -> 192.168.2.23:52940
    Source: TrafficSnort IDS: 716 INFO TELNET access 200.88.134.147:23 -> 192.168.2.23:41820
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 178.87.101.219:23 -> 192.168.2.23:50762
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 178.87.101.219:23 -> 192.168.2.23:50762
    Source: TrafficSnort IDS: 716 INFO TELNET access 2.187.187.80:23 -> 192.168.2.23:58822
    Source: TrafficSnort IDS: 716 INFO TELNET access 93.95.190.14:23 -> 192.168.2.23:38270
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 178.87.101.219:23 -> 192.168.2.23:50798
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 178.87.101.219:23 -> 192.168.2.23:50798
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 207.188.71.177:23 -> 192.168.2.23:42754
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 207.188.71.177:23 -> 192.168.2.23:42754
    Source: TrafficSnort IDS: 716 INFO TELNET access 2.187.187.80:23 -> 192.168.2.23:58868
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 93.95.190.14:23 -> 192.168.2.23:38270
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 178.87.101.219:23 -> 192.168.2.23:50812
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 178.87.101.219:23 -> 192.168.2.23:50812
    Source: TrafficSnort IDS: 716 INFO TELNET access 200.88.134.147:23 -> 192.168.2.23:41848
    Source: TrafficSnort IDS: 716 INFO TELNET access 2.187.187.80:23 -> 192.168.2.23:58884
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 218.76.20.170:23 -> 192.168.2.23:49902
    Source: TrafficSnort IDS: 716 INFO TELNET access 93.95.190.14:23 -> 192.168.2.23:38304
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 14.232.178.241:23 -> 192.168.2.23:57582
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 14.232.178.241:23 -> 192.168.2.23:57582
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 120.199.27.22:23 -> 192.168.2.23:35830
    Source: TrafficSnort IDS: 716 INFO TELNET access 200.88.134.147:23 -> 192.168.2.23:41892
    Source: TrafficSnort IDS: 716 INFO TELNET access 201.158.35.70:23 -> 192.168.2.23:57080
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 93.95.190.14:23 -> 192.168.2.23:38304
    Source: TrafficSnort IDS: 716 INFO TELNET access 2.187.187.80:23 -> 192.168.2.23:58942
    Source: TrafficSnort IDS: 2023443 ET TROJAN Possible Linux.Mirai Login Attempt (klv123) 192.168.2.23:49658 -> 89.145.206.38:23
    Source: TrafficSnort IDS: 2023448 ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) 192.168.2.23:53146 -> 125.117.143.234:23
    Source: TrafficSnort IDS: 716 INFO TELNET access 200.88.134.147:23 -> 192.168.2.23:41964
    Source: TrafficSnort IDS: 716 INFO TELNET access 1.218.117.174:23 -> 192.168.2.23:46770
    Source: TrafficSnort IDS: 716 INFO TELNET access 2.187.187.80:23 -> 192.168.2.23:58986
    Source: TrafficSnort IDS: 716 INFO TELNET access 93.95.190.14:23 -> 192.168.2.23:38402
    Source: TrafficSnort IDS: 716 INFO TELNET access 200.88.134.147:23 -> 192.168.2.23:42002
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 93.95.190.14:23 -> 192.168.2.23:38402
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 125.117.143.234:23 -> 192.168.2.23:53146
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 125.117.143.234:23 -> 192.168.2.23:53146
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 218.76.20.170:23 -> 192.168.2.23:50046
    Source: TrafficSnort IDS: 716 INFO TELNET access 200.88.134.147:23 -> 192.168.2.23:42026
    Source: TrafficSnort IDS: 716 INFO TELNET access 93.95.190.14:23 -> 192.168.2.23:38452
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 93.95.190.14:23 -> 192.168.2.23:38452
    Source: TrafficSnort IDS: 404 ICMP Destination Unreachable Protocol Unreachable 158.174.171.132: -> 192.168.2.23:
    Source: TrafficSnort IDS: 716 INFO TELNET access 200.88.134.147:23 -> 192.168.2.23:42092
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 14.232.178.241:23 -> 192.168.2.23:57746
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 14.232.178.241:23 -> 192.168.2.23:57746
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 99.159.222.174:23 -> 192.168.2.23:43534
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 99.159.222.174:23 -> 192.168.2.23:43534
    Source: TrafficSnort IDS: 716 INFO TELNET access 93.95.190.14:23 -> 192.168.2.23:38622
    Source: TrafficSnort IDS: 716 INFO TELNET access 176.178.175.26:23 -> 192.168.2.23:50634
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 93.95.190.14:23 -> 192.168.2.23:38622
    Source: TrafficSnort IDS: 716 INFO TELNET access 166.140.137.60:23 -> 192.168.2.23:57834
    Source: TrafficSnort IDS: 716 INFO TELNET access 200.88.134.147:23 -> 192.168.2.23:42228
    Source: TrafficSnort IDS: 716 INFO TELNET access 93.95.190.14:23 -> 192.168.2.23:38706
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 99.159.222.174:23 -> 192.168.2.23:43624
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 99.159.222.174:23 -> 192.168.2.23:43624
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 176.178.175.26:23 -> 192.168.2.23:50634
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 176.178.175.26:23 -> 192.168.2.23:50634
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 123.25.35.103:23 -> 192.168.2.23:35464
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 123.25.35.103:23 -> 192.168.2.23:35464
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 93.95.190.14:23 -> 192.168.2.23:38706
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 125.117.143.234:23 -> 192.168.2.23:53434
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 125.117.143.234:23 -> 192.168.2.23:53434
    Source: TrafficSnort IDS: 716 INFO TELNET access 93.95.190.14:23 -> 192.168.2.23:38772
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 99.159.222.174:23 -> 192.168.2.23:43688
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 99.159.222.174:23 -> 192.168.2.23:43688
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 93.95.190.14:23 -> 192.168.2.23:38772
    Source: TrafficSnort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.23:46644 -> 178.153.86.181:23
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 14.232.178.241:23 -> 192.168.2.23:58050
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 14.232.178.241:23 -> 192.168.2.23:58050
    Source: TrafficSnort IDS: 716 INFO TELNET access 93.95.190.14:23 -> 192.168.2.23:38824
    Source: TrafficSnort IDS: 716 INFO TELNET access 176.178.175.26:23 -> 192.168.2.23:50838
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 99.159.222.174:23 -> 192.168.2.23:43756
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 99.159.222.174:23 -> 192.168.2.23:43756
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 93.95.190.14:23 -> 192.168.2.23:38824
    Source: TrafficSnort IDS: 716 INFO TELNET access 216.12.124.74:23 -> 192.168.2.23:59688
    Source: TrafficSnort IDS: 716 INFO TELNET access 93.95.190.14:23 -> 192.168.2.23:38894
    Source: TrafficSnort IDS: 716 INFO TELNET access 216.12.124.74:23 -> 192.168.2.23:59730
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 176.178.175.26:23 -> 192.168.2.23:50838
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 176.178.175.26:23 -> 192.168.2.23:50838
    Uses known network protocols on non-standard portsShow sources
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 59876
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 59888
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 59894
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 59902
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 59906
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 59912
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 59914
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 59918
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 59920
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 59922
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 59488
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 59490
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 59492
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 59496
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 59500
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 59502
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 59504
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 59508
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 59512
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 59514
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 55390
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 55394
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 55396
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 55402
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 55404
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 55406
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 55408
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 55412
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 55416
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 55418
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 60652
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 60662
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 60670
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 60684
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 60698
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 60710
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 60728
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 60732
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 60738
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 60744
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 45898
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 45902
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 45912
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 45920
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 45928
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 45960
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46004
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46030
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46048
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46066
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 47888
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 47894
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 47902
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 47910
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 47916
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 47920
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 47922
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 47928
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 47940
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 47942
    Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
    Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
    Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
    Source: global trafficTCP traffic: 192.168.2.23:51422 -> 136.144.41.15:1312
    Source: /tmp/52lN2HSY7O (PID: 5244)Socket: 0.0.0.0::0
    Source: /tmp/52lN2HSY7O (PID: 5250)Socket: 0.0.0.0::0
    Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
    Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.15
    Source: unknownTCP traffic detected without corresponding DNS query: 197.131.18.136
    Source: unknownTCP traffic detected without corresponding DNS query: 183.85.98.136
    Source: unknownTCP traffic detected without corresponding DNS query: 245.189.161.108
    Source: unknownTCP traffic detected without corresponding DNS query: 193.3.170.183
    Source: unknownTCP traffic detected without corresponding DNS query: 141.17.39.237
    Source: unknownTCP traffic detected without corresponding DNS query: 32.241.98.250
    Source: unknownTCP traffic detected without corresponding DNS query: 188.227.153.6
    Source: unknownTCP traffic detected without corresponding DNS query: 185.208.44.48
    Source: unknownTCP traffic detected without corresponding DNS query: 37.232.147.235
    Source: unknownTCP traffic detected without corresponding DNS query: 142.140.84.111
    Source: unknownTCP traffic detected without corresponding DNS query: 99.185.159.252
    Source: unknownTCP traffic detected without corresponding DNS query: 97.2.161.202
    Source: unknownTCP traffic detected without corresponding DNS query: 145.167.228.105
    Source: unknownTCP traffic detected without corresponding DNS query: 212.13.252.233
    Source: unknownTCP traffic detected without corresponding DNS query: 24.113.182.154
    Source: unknownTCP traffic detected without corresponding DNS query: 218.178.63.174
    Source: unknownTCP traffic detected without corresponding DNS query: 169.23.59.31
    Source: unknownTCP traffic detected without corresponding DNS query: 242.240.117.66
    Source: unknownTCP traffic detected without corresponding DNS query: 44.132.233.126
    Source: unknownTCP traffic detected without corresponding DNS query: 251.220.119.233
    Source: unknownTCP traffic detected without corresponding DNS query: 186.190.71.94
    Source: unknownTCP traffic detected without corresponding DNS query: 63.0.99.123
    Source: unknownTCP traffic detected without corresponding DNS query: 65.156.248.103
    Source: unknownTCP traffic detected without corresponding DNS query: 23.1.141.169
    Source: unknownTCP traffic detected without corresponding DNS query: 182.183.59.95
    Source: unknownTCP traffic detected without corresponding DNS query: 118.172.199.129
    Source: unknownTCP traffic detected without corresponding DNS query: 253.95.218.176
    Source: unknownTCP traffic detected without corresponding DNS query: 67.163.223.123
    Source: unknownTCP traffic detected without corresponding DNS query: 32.34.80.49
    Source: unknownTCP traffic detected without corresponding DNS query: 216.199.76.79
    Source: unknownTCP traffic detected without corresponding DNS query: 140.235.190.158
    Source: unknownTCP traffic detected without corresponding DNS query: 221.123.92.204
    Source: unknownTCP traffic detected without corresponding DNS query: 70.104.99.105
    Source: unknownTCP traffic detected without corresponding DNS query: 118.112.129.241
    Source: unknownTCP traffic detected without corresponding DNS query: 44.156.118.140
    Source: unknownTCP traffic detected without corresponding DNS query: 13.158.255.149
    Source: unknownTCP traffic detected without corresponding DNS query: 185.244.161.172
    Source: unknownTCP traffic detected without corresponding DNS query: 193.51.99.20
    Source: unknownTCP traffic detected without corresponding DNS query: 86.171.75.89
    Source: unknownTCP traffic detected without corresponding DNS query: 118.147.81.187
    Source: unknownTCP traffic detected without corresponding DNS query: 73.42.183.6
    Source: unknownTCP traffic detected without corresponding DNS query: 250.140.113.44
    Source: unknownTCP traffic detected without corresponding DNS query: 19.126.125.138
    Source: unknownTCP traffic detected without corresponding DNS query: 12.6.21.161
    Source: unknownTCP traffic detected without corresponding DNS query: 118.17.175.67
    Source: unknownTCP traffic detected without corresponding DNS query: 243.54.114.224
    Source: unknownTCP traffic detected without corresponding DNS query: 168.244.60.190
    Source: unknownTCP traffic detected without corresponding DNS query: 179.108.237.40
    Source: unknownTCP traffic detected without corresponding DNS query: 189.1.2.169
    Source: motd-news.18.drString found in binary or memory: https://ubuntu.com/blog/microk8s-memory-optimisation
    Source: ELF static info symbol of initial sample.symtab present: no
    Source: /tmp/52lN2HSY7O (PID: 5244)SIGKILL sent: pid: 936, result: successful
    Source: /tmp/52lN2HSY7O (PID: 5250)SIGKILL sent: pid: 936, result: successful
    Source: classification engineClassification label: mal68.troj.lin@0/1@0/0
    Source: /tmp/52lN2HSY7O (PID: 5250)File opened: /proc/491/fd
    Source: /tmp/52lN2HSY7O (PID: 5250)File opened: /proc/793/fd
    Source: /tmp/52lN2HSY7O (PID: 5250)File opened: /proc/772/fd
    Source: /tmp/52lN2HSY7O (PID: 5250)File opened: /proc/796/fd
    Source: /tmp/52lN2HSY7O (PID: 5250)File opened: /proc/774/fd
    Source: /tmp/52lN2HSY7O (PID: 5250)File opened: /proc/797/fd
    Source: /tmp/52lN2HSY7O (PID: 5250)File opened: /proc/777/fd
    Source: /tmp/52lN2HSY7O (PID: 5250)File opened: /proc/799/fd
    Source: /tmp/52lN2HSY7O (PID: 5250)File opened: /proc/658/fd
    Source: /tmp/52lN2HSY7O (PID: 5250)File opened: /proc/912/fd
    Source: /tmp/52lN2HSY7O (PID: 5250)File opened: /proc/759/fd
    Source: /tmp/52lN2HSY7O (PID: 5250)File opened: /proc/936/fd
    Source: /tmp/52lN2HSY7O (PID: 5250)File opened: /proc/918/fd
    Source: /tmp/52lN2HSY7O (PID: 5250)File opened: /proc/1/fd
    Source: /tmp/52lN2HSY7O (PID: 5250)File opened: /proc/761/fd
    Source: /tmp/52lN2HSY7O (PID: 5250)File opened: /proc/785/fd
    Source: /tmp/52lN2HSY7O (PID: 5250)File opened: /proc/884/fd
    Source: /tmp/52lN2HSY7O (PID: 5250)File opened: /proc/720/fd
    Source: /tmp/52lN2HSY7O (PID: 5250)File opened: /proc/721/fd
    Source: /tmp/52lN2HSY7O (PID: 5250)File opened: /proc/788/fd
    Source: /tmp/52lN2HSY7O (PID: 5250)File opened: /proc/789/fd
    Source: /tmp/52lN2HSY7O (PID: 5250)File opened: /proc/800/fd
    Source: /tmp/52lN2HSY7O (PID: 5250)File opened: /proc/801/fd
    Source: /tmp/52lN2HSY7O (PID: 5250)File opened: /proc/847/fd
    Source: /tmp/52lN2HSY7O (PID: 5250)File opened: /proc/904/fd
    Source: /tmp/52lN2HSY7O (PID: 5244)File opened: /proc/491/fd
    Source: /tmp/52lN2HSY7O (PID: 5244)File opened: /proc/793/fd
    Source: /tmp/52lN2HSY7O (PID: 5244)File opened: /proc/772/fd
    Source: /tmp/52lN2HSY7O (PID: 5244)File opened: /proc/796/fd
    Source: /tmp/52lN2HSY7O (PID: 5244)File opened: /proc/774/fd
    Source: /tmp/52lN2HSY7O (PID: 5244)File opened: /proc/797/fd
    Source: /tmp/52lN2HSY7O (PID: 5244)File opened: /proc/777/fd
    Source: /tmp/52lN2HSY7O (PID: 5244)File opened: /proc/799/fd
    Source: /tmp/52lN2HSY7O (PID: 5244)File opened: /proc/658/fd
    Source: /tmp/52lN2HSY7O (PID: 5244)File opened: /proc/912/fd
    Source: /tmp/52lN2HSY7O (PID: 5244)File opened: /proc/759/fd
    Source: /tmp/52lN2HSY7O (PID: 5244)File opened: /proc/936/fd
    Source: /tmp/52lN2HSY7O (PID: 5244)File opened: /proc/918/fd
    Source: /tmp/52lN2HSY7O (PID: 5244)File opened: /proc/1/fd
    Source: /tmp/52lN2HSY7O (PID: 5244)File opened: /proc/761/fd
    Source: /tmp/52lN2HSY7O (PID: 5244)File opened: /proc/785/fd
    Source: /tmp/52lN2HSY7O (PID: 5244)File opened: /proc/884/fd
    Source: /tmp/52lN2HSY7O (PID: 5244)File opened: /proc/720/fd
    Source: /tmp/52lN2HSY7O (PID: 5244)File opened: /proc/721/fd
    Source: /tmp/52lN2HSY7O (PID: 5244)File opened: /proc/788/fd
    Source: /tmp/52lN2HSY7O (PID: 5244)File opened: /proc/789/fd
    Source: /tmp/52lN2HSY7O (PID: 5244)File opened: /proc/800/fd
    Source: /tmp/52lN2HSY7O (PID: 5244)File opened: /proc/801/fd
    Source: /tmp/52lN2HSY7O (PID: 5244)File opened: /proc/847/fd
    Source: /tmp/52lN2HSY7O (PID: 5244)File opened: /proc/904/fd
    Source: /usr/bin/dash (PID: 5194)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.JmXH35JStJ /tmp/tmp.AdZnWFxIG7 /tmp/tmp.Bef8J1nfzZ

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Uses known network protocols on non-standard portsShow sources
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 59876
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 59888
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 59894
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 59902
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 59906
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 59912
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 59914
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 59918
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 59920
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 59922
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 59488
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 59490
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 59492
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 59496
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 59500
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 59502
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 59504
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 59508
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 59512
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 59514
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 55390
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 55394
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 55396
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 55402
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 55404
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 55406
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 55408
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 55412
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 55416
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 55418
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 60652
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 60662
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 60670
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 60684
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 60698
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 60710
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 60728
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 60732
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 60738
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 60744
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 45898
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 45902
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 45912
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 45920
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 45928
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 45960
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46004
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46030
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46048
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 46066
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 47888
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 47894
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 47902
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 47910
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 47916
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 47920
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 47922
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 47928
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 47940
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 47942
    Source: /tmp/52lN2HSY7O (PID: 5242)Queries kernel information via 'uname':
    Source: 52lN2HSY7O, 5242.1.00000000c82da646.00000000f362cca0.rw-.sdmp, 52lN2HSY7O, 5244.1.00000000c82da646.00000000f362cca0.rw-.sdmp, 52lN2HSY7O, 5343.1.00000000c82da646.00000000f362cca0.rw-.sdmp, 52lN2HSY7O, 5359.1.00000000c82da646.00000000f362cca0.rw-.sdmp, 52lN2HSY7O, 5352.1.00000000c82da646.00000000f362cca0.rw-.sdmp, 52lN2HSY7O, 5245.1.00000000c82da646.00000000f362cca0.rw-.sdmp, 52lN2HSY7O, 5342.1.00000000c82da646.00000000f362cca0.rw-.sdmp, 52lN2HSY7O, 5251.1.00000000c82da646.00000000f362cca0.rw-.sdmpBinary or memory string: /usr/bin/qemu-m68k
    Source: 52lN2HSY7O, 5242.1.00000000c82da646.00000000f362cca0.rw-.sdmp, 52lN2HSY7O, 5244.1.00000000c82da646.00000000f362cca0.rw-.sdmp, 52lN2HSY7O, 5343.1.00000000c82da646.00000000f362cca0.rw-.sdmp, 52lN2HSY7O, 5359.1.00000000c82da646.00000000f362cca0.rw-.sdmp, 52lN2HSY7O, 5352.1.00000000c82da646.00000000f362cca0.rw-.sdmp, 52lN2HSY7O, 5245.1.00000000c82da646.00000000f362cca0.rw-.sdmp, 52lN2HSY7O, 5342.1.00000000c82da646.00000000f362cca0.rw-.sdmp, 52lN2HSY7O, 5251.1.00000000c82da646.00000000f362cca0.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-m68k/tmp/52lN2HSY7OSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/52lN2HSY7O
    Source: 52lN2HSY7O, 5242.1.00000000339dc745.00000000b9d6bab0.rw-.sdmp, 52lN2HSY7O, 5244.1.00000000339dc745.00000000b9d6bab0.rw-.sdmp, 52lN2HSY7O, 5343.1.00000000339dc745.00000000b9d6bab0.rw-.sdmp, 52lN2HSY7O, 5359.1.00000000339dc745.00000000b9d6bab0.rw-.sdmp, 52lN2HSY7O, 5352.1.00000000339dc745.00000000b9d6bab0.rw-.sdmp, 52lN2HSY7O, 5245.1.00000000339dc745.00000000b9d6bab0.rw-.sdmp, 52lN2HSY7O, 5342.1.00000000339dc745.00000000b9d6bab0.rw-.sdmp, 52lN2HSY7O, 5251.1.00000000339dc745.00000000b9d6bab0.rw-.sdmpBinary or memory string: DV!/etc/qemu-binfmt/m68k
    Source: 52lN2HSY7O, 5242.1.00000000339dc745.00000000b9d6bab0.rw-.sdmp, 52lN2HSY7O, 5244.1.00000000339dc745.00000000b9d6bab0.rw-.sdmp, 52lN2HSY7O, 5343.1.00000000339dc745.00000000b9d6bab0.rw-.sdmp, 52lN2HSY7O, 5359.1.00000000339dc745.00000000b9d6bab0.rw-.sdmp, 52lN2HSY7O, 5352.1.00000000339dc745.00000000b9d6bab0.rw-.sdmp, 52lN2HSY7O, 5245.1.00000000339dc745.00000000b9d6bab0.rw-.sdmp, 52lN2HSY7O, 5342.1.00000000339dc745.00000000b9d6bab0.rw-.sdmp, 52lN2HSY7O, 5251.1.00000000339dc745.00000000b9d6bab0.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/m68k

    Stealing of Sensitive Information:

    barindex
    Yara detected MiraiShow sources
    Source: Yara matchFile source: dump.pcap, type: PCAP

    Remote Access Functionality:

    barindex
    Yara detected MiraiShow sources
    Source: Yara matchFile source: dump.pcap, type: PCAP

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionFile Deletion1OS Credential Dumping1Security Software Discovery11Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port11Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

    Malware Configuration

    No configs have been found

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Number of created Files
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 553492 Sample: 52lN2HSY7O Startdate: 15/01/2022 Architecture: LINUX Score: 68 48 220.216.169.230 XEPHIONNTT-MECorporationJP Japan 2->48 50 58.6.149.98 WESTNET-AS-APWestnetInternetServicesAU Australia 2->50 52 98 other IPs or domains 2->52 54 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 Yara detected Mirai 2->58 60 Uses known network protocols on non-standard ports 2->60 10 dash rm 52lN2HSY7O 2->10         started        12 dash cat 2->12         started        14 dash tr 2->14         started        16 6 other processes 2->16 signatures3 process4 process5 18 52lN2HSY7O 10->18         started        20 52lN2HSY7O 10->20         started        22 52lN2HSY7O 10->22         started        process6 24 52lN2HSY7O 18->24         started        26 52lN2HSY7O 18->26         started        28 52lN2HSY7O 20->28         started        30 52lN2HSY7O 20->30         started        32 52lN2HSY7O 20->32         started        process7 34 52lN2HSY7O 24->34         started        36 52lN2HSY7O 24->36         started        38 52lN2HSY7O 24->38         started        40 52lN2HSY7O 28->40         started        42 52lN2HSY7O 28->42         started        process8 44 52lN2HSY7O 34->44         started        46 52lN2HSY7O 34->46         started       

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    52lN2HSY7O56%VirustotalBrowse
    52lN2HSY7O63%ReversingLabsLinux.Trojan.Mirai

    Dropped Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://ubuntu.com/blog/microk8s-memory-optimisationmotd-news.18.drfalse
      high

      Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public

      IPDomainCountryFlagASNASN NameMalicious
      199.110.235.164
      unknownUnited States
      7018ATT-INTERNET4USfalse
      113.121.141.255
      unknownChina
      4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
      177.11.31.210
      unknownBrazil
      52754GRUPOSHARKBRfalse
      27.110.107.33
      unknownJapan23783CNACableNetworksAkitaColtdJPfalse
      80.24.212.170
      unknownSpain
      3352TELEFONICA_DE_ESPANAESfalse
      186.83.234.200
      unknownColombia
      10620TelmexColombiaSACOfalse
      207.56.160.227
      unknownUnited States
      2914NTT-COMMUNICATIONS-2914USfalse
      222.171.173.133
      unknownChina
      4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
      206.184.241.50
      unknownUnited States
      2914NTT-COMMUNICATIONS-2914USfalse
      207.116.49.21
      unknownUnited States
      6407PRIMUS-AS6407CAfalse
      81.255.86.163
      unknownFrance
      3215FranceTelecom-OrangeFRfalse
      101.128.206.180
      unknownJapan2497IIJInternetInitiativeJapanIncJPfalse
      58.6.149.98
      unknownAustralia
      9543WESTNET-AS-APWestnetInternetServicesAUfalse
      60.64.115.12
      unknownJapan17676GIGAINFRASoftbankBBCorpJPfalse
      72.191.168.77
      unknownUnited States
      11427TWC-11427-TEXASUSfalse
      134.2.145.161
      unknownGermany
      553BELWUEBelWue-KoordinationEUfalse
      88.190.10.46
      unknownFrance
      12322PROXADFRfalse
      189.230.128.7
      unknownMexico
      8151UninetSAdeCVMXfalse
      240.234.53.120
      unknownReserved
      unknownunknownfalse
      200.228.138.0
      unknownBrazil
      4230CLAROSABRfalse
      245.90.212.44
      unknownReserved
      unknownunknownfalse
      18.188.26.118
      unknownUnited States
      16509AMAZON-02USfalse
      121.55.215.27
      unknownGuam
      3605ERX-KUENTOS-ASGuamCablevisionLLCGUfalse
      175.240.25.72
      unknownKorea Republic of
      4766KIXS-AS-KRKoreaTelecomKRfalse
      247.205.244.162
      unknownReserved
      unknownunknownfalse
      164.42.74.234
      unknownPuerto Rico
      16649IUPR-ASPRfalse
      53.228.90.236
      unknownGermany
      31399DAIMLER-ASITIGNGlobalNetworkDEfalse
      96.25.164.173
      unknownUnited States
      16625AKAMAI-ASUSfalse
      99.10.28.76
      unknownUnited States
      7018ATT-INTERNET4USfalse
      116.40.43.10
      unknownKorea Republic of
      17858POWERVIS-AS-KRLGPOWERCOMMKRfalse
      159.52.118.79
      unknownAustralia
      4826VOCUS-BACKBONE-ASVocusConnectInternationalBackboneAUfalse
      201.233.213.54
      unknownColombia
      13489EPMTelecomunicacionesSAESPCOfalse
      169.243.206.141
      unknownUnited States
      47024THE-METROHEALTH-SYSTEMUSfalse
      109.44.45.243
      unknownGermany
      3209VODANETInternationalIP-BackboneofVodafoneDEfalse
      240.203.171.95
      unknownReserved
      unknownunknownfalse
      150.253.133.66
      unknownUnited States
      1344513445USfalse
      253.47.120.163
      unknownReserved
      unknownunknownfalse
      110.220.30.89
      unknownChina
      9394CTTNETChinaTieTongTelecommunicationsCorporationCNfalse
      43.8.221.27
      unknownJapan4249LILLY-ASUSfalse
      203.120.137.187
      unknownSingapore
      4628PACIFICINTERNET-AS-APPacificInternetPteLtdSGfalse
      218.181.74.60
      unknownJapan17676GIGAINFRASoftbankBBCorpJPfalse
      53.169.5.228
      unknownGermany
      31399DAIMLER-ASITIGNGlobalNetworkDEfalse
      75.125.11.254
      unknownUnited States
      36351SOFTLAYERUSfalse
      101.215.253.239
      unknownIndia
      58519CHINATELECOM-CTCLOUDCloudComputingCorporationCNfalse
      156.7.48.65
      unknownUnited States
      29975VODACOM-ZAfalse
      117.178.243.226
      unknownChina
      9808CMNET-GDGuangdongMobileCommunicationCoLtdCNfalse
      161.78.252.141
      unknownSwitzerland
      3303SWISSCOMSwisscomSwitzerlandLtdCHfalse
      240.160.53.154
      unknownReserved
      unknownunknownfalse
      108.28.236.159
      unknownUnited States
      701UUNETUSfalse
      195.249.101.245
      unknownDenmark
      3292TDCTDCASDKfalse
      148.56.211.54
      unknownSpain
      12430VODAFONE_ESESfalse
      159.106.135.52
      unknownUnited States
      16050REUTERS-DOCKLANDS-RES-ASReutersDocklandsresiliancyGBfalse
      80.97.224.172
      unknownRomania
      9050RTDBucharestRomaniaROfalse
      211.21.103.87
      unknownTaiwan; Republic of China (ROC)
      3462HINETDataCommunicationBusinessGroupTWfalse
      183.219.249.8
      unknownChina
      9808CMNET-GDGuangdongMobileCommunicationCoLtdCNfalse
      197.31.187.186
      unknownTunisia
      37492ORANGE-TNfalse
      156.146.203.249
      unknownUnited States
      1448UNITED-BROADBANDUSfalse
      220.216.169.230
      unknownJapan9595XEPHIONNTT-MECorporationJPfalse
      198.196.224.109
      unknownUnited States
      292ESNET-WESTUSfalse
      153.239.66.159
      unknownJapan4713OCNNTTCommunicationsCorporationJPfalse
      220.216.56.40
      unknownJapan10010TOKAITOKAICommunicationsCorporationJPfalse
      124.225.208.91
      unknownChina
      4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
      105.143.72.239
      unknownMorocco
      6713IAM-ASMAfalse
      177.203.133.248
      unknownBrazil
      8167BrasilTelecomSA-FilialDistritoFederalBRfalse
      192.233.100.166
      unknownUnited States
      3356LEVEL3USfalse
      112.249.78.53
      unknownChina
      4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNfalse
      220.0.129.208
      unknownJapan17676GIGAINFRASoftbankBBCorpJPfalse
      141.156.237.63
      unknownUnited States
      701UUNETUSfalse
      110.141.121.185
      unknownAustralia
      1221ASN-TELSTRATelstraCorporationLtdAUfalse
      83.138.58.49
      unknownunknown
      207642LEONIXDATACENTERFRfalse
      31.114.146.114
      unknownUnited Kingdom
      12576EELtdGBfalse
      17.234.124.225
      unknownUnited States
      714APPLE-ENGINEERINGUSfalse
      146.136.220.194
      unknownSwitzerland
      559SWITCHPeeringrequestspeeringswitchchEUfalse
      247.168.152.143
      unknownReserved
      unknownunknownfalse
      87.198.117.230
      unknownIreland
      34245MAGNET-ASIEfalse
      169.31.128.125
      unknownUnited States
      37611AfrihostZAfalse
      210.112.251.134
      unknownKorea Republic of
      4663ELIMNET-AS-KRELIMNETINCKRfalse
      58.114.227.42
      unknownTaiwan; Republic of China (ROC)
      9416MULTIMEDIA-AS-APHoshinMultimediaCenterIncTWfalse
      123.47.209.227
      unknownKorea Republic of
      6619SAMSUNGSDS-AS-KRSamsungSDSIncKRfalse
      243.219.250.131
      unknownReserved
      unknownunknownfalse
      195.136.103.120
      unknownPoland
      200539INTELLYSPJ-ASINTELLYPLfalse
      40.192.134.233
      unknownUnited States
      4249LILLY-ASUSfalse
      254.52.94.164
      unknownReserved
      unknownunknownfalse
      164.65.13.51
      unknownUnited States
      1778DNIC-AS-01778USfalse
      212.9.249.185
      unknownUkraine
      6703ALKAR-ASUAfalse
      186.170.17.43
      unknownColombia
      3816COLOMBIATELECOMUNICACIONESSAESPCOfalse
      133.27.156.188
      unknownJapan38635KEIO-NETKeioUniversityJPfalse
      155.232.197.139
      unknownSouth Africa
      2018TENET-1ZAfalse
      109.4.187.52
      unknownFrance
      15557LDCOMNETFRfalse
      99.189.112.218
      unknownUnited States
      7018ATT-INTERNET4USfalse
      184.6.30.97
      unknownUnited States
      209CENTURYLINK-US-LEGACY-QWESTUSfalse
      186.37.158.45
      unknownChile
      27925EntelPCSTelecomunicacionesSACLfalse
      109.1.194.240
      unknownFrance
      15557LDCOMNETFRfalse
      87.179.231.26
      unknownGermany
      3320DTAGInternetserviceprovideroperationsDEfalse
      151.75.212.221
      unknownItaly
      1267ASN-WINDTREIUNETEUfalse
      218.31.166.125
      unknownChina
      4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
      191.133.1.249
      unknownBrazil
      26615TIMSABRfalse
      186.235.64.46
      unknownBrazil
      262725RGSILVEIRALTDABRfalse
      158.197.0.29
      unknownSlovakia (SLOVAK Republic)
      2607SANETSlovakAcademicNetworkSKfalse
      154.145.140.146
      unknownMorocco
      6713IAM-ASMAfalse


      Runtime Messages

      Command:/tmp/52lN2HSY7O
      Exit Code:0
      Exit Code Info:
      Killed:False
      Standard Output:
      Connected To CNC
      Standard Error:

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASN

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      /var/cache/motd-news
      Process:/usr/bin/cut
      File Type:ASCII text
      Category:dropped
      Size (bytes):191
      Entropy (8bit):4.515771857099866
      Encrypted:false
      SSDEEP:3:P2lnI+5MsqqzNLz+FRNScHUBfRau95++sZzR5woLB1Fh0VTGTl/X5kURn:OZ8uNLzDc0pR75+9Zz/woFmIT52URn
      MD5:DD514F892B5F93ED615D366E58AC58AF
      SHA1:BA75EDB3C2232CC260BC187F604DC8F25AA72C11
      SHA-256:F40D0DCE6E83DF74109FEF5E68E51CC255727783EEAE04C3E34677E23F7552CF
      SHA-512:9150BDE63F6C4850C5340D8877892B4D9BBF9EBDC98CDCF557A93FA304C1222CEE446418F5BE2ACCDBF38393778AFA5D4F3EDCB37A47BF57D3A4B2DEAD42A2D0
      Malicious:false
      Reputation:moderate, very likely benign file
      Preview: * Super-optimized for small spaces - read how we shrank the memory. footprint of MicroK8s to make it the smallest full K8s around... https://ubuntu.com/blog/microk8s-memory-optimisation.

      Static File Info

      General

      File type:ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
      Entropy (8bit):6.214678185526423
      TrID:
      • ELF Executable and Linkable format (generic) (4004/1) 100.00%
      File name:52lN2HSY7O
      File size:53052
      MD5:e0db3c63694e83c4ea4187a6fd40c9d2
      SHA1:d04a564f43e9ed664478443199b196d6cb191580
      SHA256:da6d168edfc190ef5f7a8ae9ad40de97ea559989c3f7421af1c9a0909522dbf4
      SHA512:540dd1a5feed9777760399c626a0ce4dfcee4bf3d39c5631765a7b949fa2084495cb458ee31efe017a16171409049159d841abb5175df66ecbad22f53dcb7fbb
      SSDEEP:768:8CeKEfhe5XdrbejRIcfFMQ/5MdgFHj0iPuvWeffpqmUJTXr6Lu380D3:dsfIBZe5tJrFj0imvppqmUJP6Lc82
      File Content Preview:.ELF.......................D...4.........4. ...(.................................. ....................p.......... .dt.Q............................NV..a....da.....N^NuNV..J9...lf>"y.... QJ.g.X.#.....N."y.... QJ.f.A.....J.g.Hy....N.X........lN^NuNV..N^NuN

      Static ELF Info

      ELF header

      Class:ELF32
      Data:2's complement, big endian
      Version:1 (current)
      Machine:MC68000
      Version Number:0x1
      Type:EXEC (Executable file)
      OS/ABI:UNIX - System V
      ABI Version:0
      Entry Point Address:0x80000144
      Flags:0x0
      ELF Header Size:52
      Program Header Offset:52
      Program Header Size:32
      Number of Program Headers:3
      Section Header Offset:52652
      Section Header Size:40
      Number of Section Headers:10
      Header String Table Index:9

      Sections

      NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
      NULL0x00x00x00x00x0000
      .initPROGBITS0x800000940x940x140x00x6AX002
      .textPROGBITS0x800000a80xa80xc5d60x00x6AX004
      .finiPROGBITS0x8000c67e0xc67e0xe0x00x6AX002
      .rodataPROGBITS0x8000c68c0xc68c0x56c0x00x2A002
      .ctorsPROGBITS0x8000ebfc0xcbfc0x80x00x3WA004
      .dtorsPROGBITS0x8000ec040xcc040x80x00x3WA004
      .dataPROGBITS0x8000ec100xcc100x15c0x00x3WA004
      .bssNOBITS0x8000ed6c0xcd6c0x23c0x00x3WA004
      .shstrtabSTRTAB0x00xcd6c0x3e0x00x0001

      Program Segments

      TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
      LOAD0x00x800000000x800000000xcbf80xcbf84.23160x5R E0x2000.init .text .fini .rodata
      LOAD0xcbfc0x8000ebfc0x8000ebfc0x1700x3ac0.27750x6RW 0x2000.ctors .dtors .data .bss
      GNU_STACK0x00x00x00x00x00.00000x6RW 0x4

      Network Behavior

      Network Port Distribution

      TCP Packets

      TimestampSource PortDest PortSource IPDest IP
      Jan 15, 2022 01:33:52.819207907 CET514221312192.168.2.23136.144.41.15
      Jan 15, 2022 01:33:52.835249901 CET751523192.168.2.23197.131.18.136
      Jan 15, 2022 01:33:52.835306883 CET751523192.168.2.23183.85.98.136
      Jan 15, 2022 01:33:52.835314989 CET751523192.168.2.23245.189.161.108
      Jan 15, 2022 01:33:52.835323095 CET751523192.168.2.23193.3.170.183
      Jan 15, 2022 01:33:52.835428953 CET751523192.168.2.23141.17.39.237
      Jan 15, 2022 01:33:52.835439920 CET751523192.168.2.2332.241.98.250
      Jan 15, 2022 01:33:52.835460901 CET751523192.168.2.23188.227.153.6
      Jan 15, 2022 01:33:52.835460901 CET751523192.168.2.23185.208.44.48
      Jan 15, 2022 01:33:52.835464001 CET751523192.168.2.2337.232.147.235
      Jan 15, 2022 01:33:52.835474968 CET751523192.168.2.23142.140.84.111
      Jan 15, 2022 01:33:52.835477114 CET751523192.168.2.2399.185.159.252
      Jan 15, 2022 01:33:52.835479021 CET751523192.168.2.2397.2.161.202
      Jan 15, 2022 01:33:52.835514069 CET751523192.168.2.23145.167.228.105
      Jan 15, 2022 01:33:52.835526943 CET751523192.168.2.23212.13.252.233
      Jan 15, 2022 01:33:52.835537910 CET751523192.168.2.2324.113.182.154
      Jan 15, 2022 01:33:52.835536957 CET751523192.168.2.23218.178.63.174
      Jan 15, 2022 01:33:52.835539103 CET751523192.168.2.23169.23.59.31
      Jan 15, 2022 01:33:52.835539103 CET751523192.168.2.23242.240.117.66
      Jan 15, 2022 01:33:52.835550070 CET751523192.168.2.2344.132.233.126
      Jan 15, 2022 01:33:52.835561991 CET751523192.168.2.23251.220.119.233
      Jan 15, 2022 01:33:52.835685015 CET751523192.168.2.23186.190.71.94
      Jan 15, 2022 01:33:52.835688114 CET751523192.168.2.2363.0.99.123
      Jan 15, 2022 01:33:52.835688114 CET751523192.168.2.2399.210.211.32
      Jan 15, 2022 01:33:52.835695028 CET751523192.168.2.2365.156.248.103
      Jan 15, 2022 01:33:52.835702896 CET751523192.168.2.2323.1.141.169
      Jan 15, 2022 01:33:52.835706949 CET751523192.168.2.23182.183.59.95
      Jan 15, 2022 01:33:52.835709095 CET751523192.168.2.23118.172.199.129
      Jan 15, 2022 01:33:52.835716009 CET751523192.168.2.23253.95.218.176
      Jan 15, 2022 01:33:52.835720062 CET751523192.168.2.2367.163.223.123
      Jan 15, 2022 01:33:52.835724115 CET751523192.168.2.2332.34.80.49
      Jan 15, 2022 01:33:52.835731983 CET751523192.168.2.23216.199.76.79
      Jan 15, 2022 01:33:52.835737944 CET751523192.168.2.23140.235.190.158
      Jan 15, 2022 01:33:52.835738897 CET751523192.168.2.23221.123.92.204
      Jan 15, 2022 01:33:52.835741043 CET751523192.168.2.2370.104.99.105
      Jan 15, 2022 01:33:52.835740089 CET751523192.168.2.23118.112.129.241
      Jan 15, 2022 01:33:52.835758924 CET751523192.168.2.2344.156.118.140
      Jan 15, 2022 01:33:52.835764885 CET751523192.168.2.2313.158.255.149
      Jan 15, 2022 01:33:52.835769892 CET751523192.168.2.23185.244.161.172
      Jan 15, 2022 01:33:52.835773945 CET751523192.168.2.23193.51.99.20
      Jan 15, 2022 01:33:52.835786104 CET751523192.168.2.2386.171.75.89
      Jan 15, 2022 01:33:52.835788965 CET751523192.168.2.23118.147.81.187
      Jan 15, 2022 01:33:52.835906029 CET751523192.168.2.2373.42.183.6
      Jan 15, 2022 01:33:52.835911989 CET751523192.168.2.23250.140.113.44
      Jan 15, 2022 01:33:52.835911989 CET751523192.168.2.2319.126.125.138
      Jan 15, 2022 01:33:52.835916042 CET751523192.168.2.2312.6.21.161
      Jan 15, 2022 01:33:52.835916042 CET751523192.168.2.23118.17.175.67
      Jan 15, 2022 01:33:52.835918903 CET751523192.168.2.23243.54.114.224
      Jan 15, 2022 01:33:52.835920095 CET751523192.168.2.23168.244.60.190
      Jan 15, 2022 01:33:52.835927010 CET751523192.168.2.23179.108.237.40
      Jan 15, 2022 01:33:52.835931063 CET751523192.168.2.23189.1.2.169
      Jan 15, 2022 01:33:52.835937023 CET751523192.168.2.23208.82.91.76
      Jan 15, 2022 01:33:52.835941076 CET751523192.168.2.23158.172.86.164
      Jan 15, 2022 01:33:52.835944891 CET751523192.168.2.2347.47.123.175
      Jan 15, 2022 01:33:52.835947990 CET751523192.168.2.23206.189.65.198
      Jan 15, 2022 01:33:52.835949898 CET751523192.168.2.23175.138.53.53
      Jan 15, 2022 01:33:52.835954905 CET751523192.168.2.2335.194.241.25
      Jan 15, 2022 01:33:52.835962057 CET751523192.168.2.23113.187.99.23
      Jan 15, 2022 01:33:52.835967064 CET751523192.168.2.2314.5.42.44
      Jan 15, 2022 01:33:52.835969925 CET751523192.168.2.23217.41.76.94
      Jan 15, 2022 01:33:52.835971117 CET751523192.168.2.23122.135.186.70
      Jan 15, 2022 01:33:52.835977077 CET751523192.168.2.2357.80.167.204
      Jan 15, 2022 01:33:52.835988998 CET751523192.168.2.23189.88.140.97
      Jan 15, 2022 01:33:52.835998058 CET751523192.168.2.23191.140.69.29
      Jan 15, 2022 01:33:52.836000919 CET751523192.168.2.23149.83.167.215
      Jan 15, 2022 01:33:52.836004019 CET751523192.168.2.23241.138.133.221
      Jan 15, 2022 01:33:52.836011887 CET751523192.168.2.23118.166.93.162
      Jan 15, 2022 01:33:52.836013079 CET751523192.168.2.2344.116.233.83
      Jan 15, 2022 01:33:52.836014032 CET751523192.168.2.23133.167.112.55
      Jan 15, 2022 01:33:52.836019039 CET751523192.168.2.23170.123.105.126
      Jan 15, 2022 01:33:52.836020947 CET751523192.168.2.23205.131.226.191
      Jan 15, 2022 01:33:52.836030960 CET751523192.168.2.2314.24.201.173
      Jan 15, 2022 01:33:52.836031914 CET751523192.168.2.23212.109.160.64
      Jan 15, 2022 01:33:52.836031914 CET751523192.168.2.2324.58.111.9
      Jan 15, 2022 01:33:52.836164951 CET751523192.168.2.23100.151.120.53
      Jan 15, 2022 01:33:52.836165905 CET751523192.168.2.2374.145.70.239
      Jan 15, 2022 01:33:52.836169958 CET751523192.168.2.23250.230.86.125
      Jan 15, 2022 01:33:52.836172104 CET751523192.168.2.23114.97.177.30
      Jan 15, 2022 01:33:52.836167097 CET751523192.168.2.23157.182.149.126
      Jan 15, 2022 01:33:52.836174965 CET751523192.168.2.2345.18.206.86
      Jan 15, 2022 01:33:52.836178064 CET751523192.168.2.23145.138.2.117
      Jan 15, 2022 01:33:52.836179972 CET751523192.168.2.231.94.55.174
      Jan 15, 2022 01:33:52.836184025 CET751523192.168.2.2392.79.246.244
      Jan 15, 2022 01:33:52.836188078 CET751523192.168.2.2377.104.162.229
      Jan 15, 2022 01:33:52.836199045 CET751523192.168.2.2323.60.97.65
      Jan 15, 2022 01:33:52.836199045 CET751523192.168.2.2331.162.39.204
      Jan 15, 2022 01:33:52.836201906 CET751523192.168.2.23164.86.231.75
      Jan 15, 2022 01:33:52.836214066 CET751523192.168.2.2388.155.82.253
      Jan 15, 2022 01:33:52.836218119 CET751523192.168.2.23146.159.111.220
      Jan 15, 2022 01:33:52.836218119 CET751523192.168.2.23186.42.164.246
      Jan 15, 2022 01:33:52.836225986 CET751523192.168.2.23221.127.221.225
      Jan 15, 2022 01:33:52.836240053 CET751523192.168.2.2334.206.55.137
      Jan 15, 2022 01:33:52.836353064 CET751523192.168.2.23115.208.161.238
      Jan 15, 2022 01:33:52.836359978 CET751523192.168.2.23247.248.100.9
      Jan 15, 2022 01:33:52.836369991 CET751523192.168.2.2344.39.151.33
      Jan 15, 2022 01:33:52.836374998 CET751523192.168.2.2383.10.73.161
      Jan 15, 2022 01:33:52.836376905 CET751523192.168.2.23196.15.177.6
      Jan 15, 2022 01:33:52.836384058 CET751523192.168.2.23124.187.238.46
      Jan 15, 2022 01:33:52.836390018 CET751523192.168.2.23208.133.193.153
      Jan 15, 2022 01:33:52.836390972 CET751523192.168.2.2371.6.127.245

      System Behavior

      General

      Start time:01:33:46
      Start date:15/01/2022
      Path:/usr/bin/dash
      Arguments:n/a
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      General

      Start time:01:33:46
      Start date:15/01/2022
      Path:/usr/bin/cat
      Arguments:cat /tmp/tmp.JmXH35JStJ
      File size:43416 bytes
      MD5 hash:7e9d213e404ad3bb82e4ebb2e1f2c1b3

      General

      Start time:01:33:46
      Start date:15/01/2022
      Path:/usr/bin/dash
      Arguments:n/a
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      General

      Start time:01:33:46
      Start date:15/01/2022
      Path:/usr/bin/head
      Arguments:head -n 10
      File size:47480 bytes
      MD5 hash:fd96a67145172477dd57131396fc9608

      General

      Start time:01:33:46
      Start date:15/01/2022
      Path:/usr/bin/dash
      Arguments:n/a
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      General

      Start time:01:33:46
      Start date:15/01/2022
      Path:/usr/bin/tr
      Arguments:tr -d \\000-\\011\\013\\014\\016-\\037
      File size:51544 bytes
      MD5 hash:fbd1402dd9f72d8ebfff00ce7c3a7bb5

      General

      Start time:01:33:46
      Start date:15/01/2022
      Path:/usr/bin/dash
      Arguments:n/a
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      General

      Start time:01:33:46
      Start date:15/01/2022
      Path:/usr/bin/cut
      Arguments:cut -c -80
      File size:47480 bytes
      MD5 hash:d8ed0ea8f22c0de0f8692d4d9f1759d3

      General

      Start time:01:33:46
      Start date:15/01/2022
      Path:/usr/bin/dash
      Arguments:n/a
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      General

      Start time:01:33:46
      Start date:15/01/2022
      Path:/usr/bin/cat
      Arguments:cat /tmp/tmp.JmXH35JStJ
      File size:43416 bytes
      MD5 hash:7e9d213e404ad3bb82e4ebb2e1f2c1b3

      General

      Start time:01:33:46
      Start date:15/01/2022
      Path:/usr/bin/dash
      Arguments:n/a
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      General

      Start time:01:33:46
      Start date:15/01/2022
      Path:/usr/bin/head
      Arguments:head -n 10
      File size:47480 bytes
      MD5 hash:fd96a67145172477dd57131396fc9608

      General

      Start time:01:33:46
      Start date:15/01/2022
      Path:/usr/bin/dash
      Arguments:n/a
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      General

      Start time:01:33:46
      Start date:15/01/2022
      Path:/usr/bin/tr
      Arguments:tr -d \\000-\\011\\013\\014\\016-\\037
      File size:51544 bytes
      MD5 hash:fbd1402dd9f72d8ebfff00ce7c3a7bb5

      General

      Start time:01:33:46
      Start date:15/01/2022
      Path:/usr/bin/dash
      Arguments:n/a
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      General

      Start time:01:33:46
      Start date:15/01/2022
      Path:/usr/bin/cut
      Arguments:cut -c -80
      File size:47480 bytes
      MD5 hash:d8ed0ea8f22c0de0f8692d4d9f1759d3

      General

      Start time:01:33:46
      Start date:15/01/2022
      Path:/usr/bin/dash
      Arguments:n/a
      File size:129816 bytes
      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

      General

      Start time:01:33:46
      Start date:15/01/2022
      Path:/usr/bin/rm
      Arguments:rm -f /tmp/tmp.JmXH35JStJ /tmp/tmp.AdZnWFxIG7 /tmp/tmp.Bef8J1nfzZ
      File size:72056 bytes
      MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

      General

      Start time:01:33:51
      Start date:15/01/2022
      Path:/tmp/52lN2HSY7O
      Arguments:/tmp/52lN2HSY7O
      File size:4463432 bytes
      MD5 hash:cd177594338c77b895ae27c33f8f86cc

      General

      Start time:01:33:51
      Start date:15/01/2022
      Path:/tmp/52lN2HSY7O
      Arguments:n/a
      File size:4463432 bytes
      MD5 hash:cd177594338c77b895ae27c33f8f86cc

      General

      Start time:01:36:43
      Start date:15/01/2022
      Path:/tmp/52lN2HSY7O
      Arguments:n/a
      File size:4463432 bytes
      MD5 hash:cd177594338c77b895ae27c33f8f86cc

      General

      Start time:01:36:43
      Start date:15/01/2022
      Path:/tmp/52lN2HSY7O
      Arguments:n/a
      File size:4463432 bytes
      MD5 hash:cd177594338c77b895ae27c33f8f86cc

      General

      Start time:01:36:43
      Start date:15/01/2022
      Path:/tmp/52lN2HSY7O
      Arguments:n/a
      File size:4463432 bytes
      MD5 hash:cd177594338c77b895ae27c33f8f86cc

      General

      Start time:01:36:48
      Start date:15/01/2022
      Path:/tmp/52lN2HSY7O
      Arguments:n/a
      File size:4463432 bytes
      MD5 hash:cd177594338c77b895ae27c33f8f86cc

      General

      Start time:01:36:48
      Start date:15/01/2022
      Path:/tmp/52lN2HSY7O
      Arguments:n/a
      File size:4463432 bytes
      MD5 hash:cd177594338c77b895ae27c33f8f86cc

      General

      Start time:01:36:43
      Start date:15/01/2022
      Path:/tmp/52lN2HSY7O
      Arguments:n/a
      File size:4463432 bytes
      MD5 hash:cd177594338c77b895ae27c33f8f86cc

      General

      Start time:01:36:43
      Start date:15/01/2022
      Path:/tmp/52lN2HSY7O
      Arguments:n/a
      File size:4463432 bytes
      MD5 hash:cd177594338c77b895ae27c33f8f86cc

      General

      Start time:01:33:51
      Start date:15/01/2022
      Path:/tmp/52lN2HSY7O
      Arguments:n/a
      File size:4463432 bytes
      MD5 hash:cd177594338c77b895ae27c33f8f86cc

      General

      Start time:01:33:51
      Start date:15/01/2022
      Path:/tmp/52lN2HSY7O
      Arguments:n/a
      File size:4463432 bytes
      MD5 hash:cd177594338c77b895ae27c33f8f86cc

      General

      Start time:01:33:51
      Start date:15/01/2022
      Path:/tmp/52lN2HSY7O
      Arguments:n/a
      File size:4463432 bytes
      MD5 hash:cd177594338c77b895ae27c33f8f86cc

      General

      Start time:01:36:43
      Start date:15/01/2022
      Path:/tmp/52lN2HSY7O
      Arguments:n/a
      File size:4463432 bytes
      MD5 hash:cd177594338c77b895ae27c33f8f86cc

      General

      Start time:01:36:43
      Start date:15/01/2022
      Path:/tmp/52lN2HSY7O
      Arguments:n/a
      File size:4463432 bytes
      MD5 hash:cd177594338c77b895ae27c33f8f86cc

      General

      Start time:01:33:51
      Start date:15/01/2022
      Path:/tmp/52lN2HSY7O
      Arguments:n/a
      File size:4463432 bytes
      MD5 hash:cd177594338c77b895ae27c33f8f86cc

      General

      Start time:01:33:51
      Start date:15/01/2022
      Path:/tmp/52lN2HSY7O
      Arguments:n/a
      File size:4463432 bytes
      MD5 hash:cd177594338c77b895ae27c33f8f86cc