Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Linux Analysis Report 9Q1fc1TZq4

Overview

General Information

Sample Name:9Q1fc1TZq4
Analysis ID:553493
MD5:b192ed1edacfafee1a66012bfa2c45be
SHA1:0a3451997f43964a25b203672441f3d4b615d224
SHA256:b41bbb2bcc0d3106fd9767fe53f95329d4178ca48f3fdf700b80619b75207dba
Tags:32elfmiraisparc
Infos:

Detection

Mirai
Score:72
Range:0 - 100
Whitelisted:false

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Mirai
Multi AV Scanner detection for submitted file
Uses known network protocols on non-standard ports
Sample tries to kill multiple processes (SIGKILL)
Sample has stripped symbol table
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Detected TCP or UDP traffic on non-standard ports
Sample listens on a socket
Sample tries to kill a process (SIGKILL)

Classification

Analysis Advice

All HTTP servers contacted by the sample do not answer. Likely the sample is an old dropper which does no longer work
Static ELF header machine description suggests that the sample might not execute correctly on this machine

General Information

Joe Sandbox Version:34.0.0 Boulder Opal
Analysis ID:553493
Start date:15.01.2022
Start time:01:38:33
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 12s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:9Q1fc1TZq4
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Detection:MAL
Classification:mal72.spre.troj.lin@0/0@0/0
Warnings:
Show All
  • Report size exceeded maximum capacity and may have missing network information.
  • TCP Packets have been reduced to 100

Process Tree

  • system is lnxubuntu20
  • cleanup

Yara Overview

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Mirai_12Yara detected MiraiJoe Security

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: 9Q1fc1TZq4Virustotal: Detection: 52%Perma Link
    Source: 9Q1fc1TZq4ReversingLabs: Detection: 55%

    Networking:

    barindex
    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
    Source: TrafficSnort IDS: 716 INFO TELNET access 150.129.115.17:23 -> 192.168.2.23:43010
    Source: TrafficSnort IDS: 716 INFO TELNET access 212.123.70.71:23 -> 192.168.2.23:40496
    Source: TrafficSnort IDS: 716 INFO TELNET access 212.123.70.71:23 -> 192.168.2.23:40516
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 85.133.230.240:23 -> 192.168.2.23:39806
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 85.133.230.240:23 -> 192.168.2.23:39806
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35412
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35412
    Source: TrafficSnort IDS: 716 INFO TELNET access 150.129.115.17:23 -> 192.168.2.23:43180
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35434
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35434
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35430
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35430
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 85.133.230.240:23 -> 192.168.2.23:39852
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 85.133.230.240:23 -> 192.168.2.23:39852
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35448
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35448
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35450
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35450
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35456
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35456
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35462
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35462
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35466
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35466
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35472
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35472
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35478
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35478
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35480
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35480
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 85.133.230.240:23 -> 192.168.2.23:39908
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 85.133.230.240:23 -> 192.168.2.23:39908
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35486
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35486
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35490
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35490
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35492
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35492
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35504
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35504
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35508
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35508
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35516
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35516
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35528
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35528
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35530
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35530
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35542
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35542
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35550
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35550
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35554
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35554
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 85.133.230.240:23 -> 192.168.2.23:39976
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 85.133.230.240:23 -> 192.168.2.23:39976
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35560
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35560
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35578
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35578
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35574
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35574
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35576
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35576
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35590
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35590
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35592
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35592
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35612
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35612
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 85.133.230.240:23 -> 192.168.2.23:40034
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 85.133.230.240:23 -> 192.168.2.23:40034
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 70.155.215.73:23 -> 192.168.2.23:35642
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 70.155.215.73:23 -> 192.168.2.23:35642
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 85.133.230.240:23 -> 192.168.2.23:40072
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 85.133.230.240:23 -> 192.168.2.23:40072
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 85.133.230.240:23 -> 192.168.2.23:40142
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 85.133.230.240:23 -> 192.168.2.23:40142
    Source: TrafficSnort IDS: 716 INFO TELNET access 176.119.210.93:23 -> 192.168.2.23:39152
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 122.52.167.198:23 -> 192.168.2.23:50186
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 122.52.167.198:23 -> 192.168.2.23:50186
    Source: TrafficSnort IDS: 716 INFO TELNET access 187.60.251.153:23 -> 192.168.2.23:57922
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 85.133.230.240:23 -> 192.168.2.23:40192
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 85.133.230.240:23 -> 192.168.2.23:40192
    Source: TrafficSnort IDS: 716 INFO TELNET access 67.21.178.130:23 -> 192.168.2.23:56348
    Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 85.133.230.240:23 -> 192.168.2.23:40246
    Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 85.133.230.240:23 -> 192.168.2.23:40246
    Source: TrafficSnort IDS: 492 INFO TELNET login failed 223.13.163.141:23 -> 192.168.2.23:41608
    Source: TrafficSnort IDS: 716 INFO TELNET access 222.222.115.44:23 -> 192.168.2.23:37756
    Uses known network protocols on non-standard portsShow sources
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41672
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41676
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41682
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41684
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41686
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41690
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41694
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41696
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41700
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41704
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 51854
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 51856
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 51860
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 51866
    Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
    Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
    Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
    Source: global trafficTCP traffic: 192.168.2.23:51422 -> 136.144.41.15:1312
    Source: /tmp/9Q1fc1TZq4 (PID: 5224)Socket: 0.0.0.0::0
    Source: /tmp/9Q1fc1TZq4 (PID: 5224)Socket: 0.0.0.0::23
    Source: /tmp/9Q1fc1TZq4 (PID: 5224)Socket: 0.0.0.0::53413
    Source: /tmp/9Q1fc1TZq4 (PID: 5224)Socket: 0.0.0.0::80
    Source: /tmp/9Q1fc1TZq4 (PID: 5224)Socket: 0.0.0.0::52869
    Source: /tmp/9Q1fc1TZq4 (PID: 5224)Socket: 0.0.0.0::37215
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)Socket: 0.0.0.0::0
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)Socket: 0.0.0.0::23
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)Socket: 0.0.0.0::53413
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)Socket: 0.0.0.0::80
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)Socket: 0.0.0.0::52869
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)Socket: 0.0.0.0::37215
    Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
    Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.15
    Source: unknownTCP traffic detected without corresponding DNS query: 53.37.140.118
    Source: unknownTCP traffic detected without corresponding DNS query: 255.11.92.225
    Source: unknownTCP traffic detected without corresponding DNS query: 113.221.14.222
    Source: unknownTCP traffic detected without corresponding DNS query: 91.198.138.229
    Source: unknownTCP traffic detected without corresponding DNS query: 74.14.252.38
    Source: unknownTCP traffic detected without corresponding DNS query: 186.169.215.12
    Source: unknownTCP traffic detected without corresponding DNS query: 63.76.153.143
    Source: unknownTCP traffic detected without corresponding DNS query: 242.192.94.231
    Source: unknownTCP traffic detected without corresponding DNS query: 93.163.0.92
    Source: unknownTCP traffic detected without corresponding DNS query: 195.161.100.74
    Source: unknownTCP traffic detected without corresponding DNS query: 197.39.20.72
    Source: unknownTCP traffic detected without corresponding DNS query: 247.25.74.11
    Source: unknownTCP traffic detected without corresponding DNS query: 38.132.7.100
    Source: unknownTCP traffic detected without corresponding DNS query: 216.209.64.3
    Source: unknownTCP traffic detected without corresponding DNS query: 189.183.132.53
    Source: unknownTCP traffic detected without corresponding DNS query: 116.35.20.108
    Source: unknownTCP traffic detected without corresponding DNS query: 159.3.178.38
    Source: unknownTCP traffic detected without corresponding DNS query: 208.100.192.160
    Source: unknownTCP traffic detected without corresponding DNS query: 254.75.83.64
    Source: unknownTCP traffic detected without corresponding DNS query: 145.194.139.115
    Source: unknownTCP traffic detected without corresponding DNS query: 66.109.87.165
    Source: unknownTCP traffic detected without corresponding DNS query: 38.77.77.248
    Source: unknownTCP traffic detected without corresponding DNS query: 208.64.53.186
    Source: unknownTCP traffic detected without corresponding DNS query: 240.0.122.142
    Source: unknownTCP traffic detected without corresponding DNS query: 217.82.231.151
    Source: unknownTCP traffic detected without corresponding DNS query: 9.244.168.67
    Source: unknownTCP traffic detected without corresponding DNS query: 193.36.181.109
    Source: unknownTCP traffic detected without corresponding DNS query: 190.44.190.77
    Source: unknownTCP traffic detected without corresponding DNS query: 91.122.52.12
    Source: unknownTCP traffic detected without corresponding DNS query: 96.83.141.58
    Source: unknownTCP traffic detected without corresponding DNS query: 164.146.71.67
    Source: unknownTCP traffic detected without corresponding DNS query: 220.191.251.91
    Source: unknownTCP traffic detected without corresponding DNS query: 125.61.48.223
    Source: unknownTCP traffic detected without corresponding DNS query: 36.31.15.146
    Source: unknownTCP traffic detected without corresponding DNS query: 82.231.242.223
    Source: unknownTCP traffic detected without corresponding DNS query: 31.151.38.122
    Source: unknownTCP traffic detected without corresponding DNS query: 197.68.141.240
    Source: unknownTCP traffic detected without corresponding DNS query: 122.102.241.146
    Source: unknownTCP traffic detected without corresponding DNS query: 73.119.62.16
    Source: unknownTCP traffic detected without corresponding DNS query: 174.134.34.4
    Source: unknownTCP traffic detected without corresponding DNS query: 195.118.217.228
    Source: unknownTCP traffic detected without corresponding DNS query: 89.162.79.119
    Source: unknownTCP traffic detected without corresponding DNS query: 149.83.114.206
    Source: unknownTCP traffic detected without corresponding DNS query: 160.55.69.168
    Source: unknownTCP traffic detected without corresponding DNS query: 163.88.190.118
    Source: unknownTCP traffic detected without corresponding DNS query: 185.44.206.173
    Source: unknownTCP traffic detected without corresponding DNS query: 126.138.115.208
    Source: unknownTCP traffic detected without corresponding DNS query: 150.207.88.146
    Source: unknownTCP traffic detected without corresponding DNS query: 181.18.11.107

    System Summary:

    barindex
    Sample tries to kill multiple processes (SIGKILL)Show sources
    Source: /tmp/9Q1fc1TZq4 (PID: 5224)SIGKILL sent: pid: 936, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 936, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 5243, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 720, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 759, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 788, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 800, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 847, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 884, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 1334, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 1335, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 1860, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 1872, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 2096, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 2097, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 2102, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 2180, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 2208, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 2275, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 2281, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 2285, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 2289, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 2294, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 5235, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 5245, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 5249, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 5253, result: successful
    Source: ELF static info symbol of initial sample.symtab present: no
    Source: /tmp/9Q1fc1TZq4 (PID: 5224)SIGKILL sent: pid: 936, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 936, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 5243, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 720, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 759, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 788, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 800, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 847, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 884, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 1334, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 1335, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 1860, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 1872, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 2096, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 2097, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 2102, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 2180, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 2208, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 2275, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 2281, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 2285, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 2289, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 2294, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 5235, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 5245, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 5249, result: successful
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)SIGKILL sent: pid: 5253, result: successful
    Source: classification engineClassification label: mal72.spre.troj.lin@0/0@0/0
    Source: /tmp/9Q1fc1TZq4 (PID: 5224)File opened: /proc/491/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5224)File opened: /proc/793/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5224)File opened: /proc/772/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5224)File opened: /proc/796/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5224)File opened: /proc/774/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5224)File opened: /proc/797/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5224)File opened: /proc/777/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5224)File opened: /proc/799/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5224)File opened: /proc/658/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5224)File opened: /proc/912/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5224)File opened: /proc/759/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5224)File opened: /proc/936/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5224)File opened: /proc/918/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5224)File opened: /proc/1/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5224)File opened: /proc/761/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5224)File opened: /proc/785/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5224)File opened: /proc/884/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5224)File opened: /proc/720/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5224)File opened: /proc/721/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5224)File opened: /proc/788/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5224)File opened: /proc/789/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5224)File opened: /proc/800/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5224)File opened: /proc/801/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5224)File opened: /proc/847/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5224)File opened: /proc/904/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/5144/exe
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/4453/exe
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/2033/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/2033/exe
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/1582/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/1582/exe
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/2275/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/2275/exe
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/3088/exe
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/1612/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/1612/exe
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/1579/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/1579/exe
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/1699/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/1699/exe
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/1335/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/1335/exe
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/1698/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/1698/exe
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/2028/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/2028/exe
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/1334/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/1334/exe
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/1576/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/1576/exe
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/2302/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/2302/exe
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/3236/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/3236/exe
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/2025/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/2025/exe
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/2146/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/2146/exe
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/910/exe
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/912/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/912/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/912/exe
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/912/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/759/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/759/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/759/exe
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/759/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/517/exe
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/2307/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/2307/exe
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/918/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/918/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/918/exe
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/918/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/5030/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/5030/exe
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/5151/exe
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/4460/exe
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/5153/exe
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/4461/exe
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/4462/exe
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/1594/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/1594/exe
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/2285/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/2285/exe
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/2281/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/2281/exe
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/1349/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/1349/exe
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/1/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/1/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/1/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/1623/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/1623/exe
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/761/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/761/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/761/exe
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/761/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/1622/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/1622/exe
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/884/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/884/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/884/exe
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/884/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/1983/fd
    Source: /tmp/9Q1fc1TZq4 (PID: 5229)File opened: /proc/1983/exe

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Uses known network protocols on non-standard portsShow sources
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41672
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41676
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41682
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41684
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41686
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41690
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41694
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41696
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41700
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 41704
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 51854
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 51856
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 51860
    Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 51866
    Source: /tmp/9Q1fc1TZq4 (PID: 5222)Queries kernel information via 'uname':
    Source: 9Q1fc1TZq4, 5259.1.0000000078c623b5.00000000b86fdce1.rw-.sdmpBinary or memory string: U/sparc/10 /usr/bin/qemu-sparc!/proc/5243/fd/.1P
    Source: 9Q1fc1TZq4, 5222.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5224.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5241.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5243.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5245.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5251.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5253.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5248.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5249.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5225.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5259.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5232.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5235.1.00000000e7bd0055.0000000078c623b5.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/sparc
    Source: 9Q1fc1TZq4, 5222.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5224.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5241.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5243.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5245.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5251.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5253.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5248.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5249.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5225.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5259.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5232.1.00000000e7bd0055.0000000078c623b5.rw-.sdmp, 9Q1fc1TZq4, 5235.1.00000000e7bd0055.0000000078c623b5.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/sparc
    Source: 9Q1fc1TZq4, 5259.1.0000000078c623b5.00000000b86fdce1.rw-.sdmpBinary or memory string: U/sparc/10 /proc/2080/fd/50!/proc/2025/fd/11/usr/bin/vmtoolsdparc/10!/proc/2080/fd/40!/proc/2025/fd/21
    Source: 9Q1fc1TZq4, 5259.1.0000000078c623b5.00000000b86fdce1.rw-.sdmpBinary or memory string: /usr/bin/vmtoolsd
    Source: 9Q1fc1TZq4, 5222.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5224.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5241.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5243.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5245.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5251.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5253.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5248.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5249.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5225.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5259.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5232.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5235.1.00000000e78673f0.000000004e74a713.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-sparc/tmp/9Q1fc1TZq4SUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/9Q1fc1TZq4
    Source: 9Q1fc1TZq4, 5222.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5224.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5241.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5243.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5245.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5251.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5253.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5248.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5249.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5225.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5259.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5259.1.0000000078c623b5.00000000b86fdce1.rw-.sdmp, 9Q1fc1TZq4, 5232.1.00000000e78673f0.000000004e74a713.rw-.sdmp, 9Q1fc1TZq4, 5235.1.00000000e78673f0.000000004e74a713.rw-.sdmpBinary or memory string: /usr/bin/qemu-sparc

    Stealing of Sensitive Information:

    barindex
    Yara detected MiraiShow sources
    Source: Yara matchFile source: dump.pcap, type: PCAP

    Remote Access Functionality:

    barindex
    Yara detected MiraiShow sources
    Source: Yara matchFile source: dump.pcap, type: PCAP

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping1Security Software Discovery11Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port11Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

    Malware Configuration

    No configs have been found

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Number of created Files
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 553493 Sample: 9Q1fc1TZq4 Startdate: 15/01/2022 Architecture: LINUX Score: 72 44 90.251.212.225 VodafoneGB United Kingdom 2->44 46 37.182.231.163, 23 VODAFONE-IT-ASNIT Italy 2->46 48 98 other IPs or domains 2->48 50 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 Yara detected Mirai 2->54 56 Uses known network protocols on non-standard ports 2->56 10 9Q1fc1TZq4 2->10         started        signatures3 process4 process5 12 9Q1fc1TZq4 10->12         started        15 9Q1fc1TZq4 10->15         started        17 9Q1fc1TZq4 10->17         started        signatures6 60 Sample tries to kill multiple processes (SIGKILL) 12->60 19 9Q1fc1TZq4 12->19         started        21 9Q1fc1TZq4 12->21         started        23 9Q1fc1TZq4 15->23         started        26 9Q1fc1TZq4 15->26         started        28 9Q1fc1TZq4 15->28         started        process7 signatures8 30 9Q1fc1TZq4 19->30         started        32 9Q1fc1TZq4 19->32         started        34 9Q1fc1TZq4 19->34         started        58 Sample tries to kill multiple processes (SIGKILL) 23->58 36 9Q1fc1TZq4 23->36         started        38 9Q1fc1TZq4 23->38         started        process9 process10 40 9Q1fc1TZq4 30->40         started        42 9Q1fc1TZq4 30->42         started       

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    9Q1fc1TZq452%VirustotalBrowse
    9Q1fc1TZq456%ReversingLabsLinux.Trojan.Mirai

    Dropped Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public

    IPDomainCountryFlagASNASN NameMalicious
    211.20.10.19
    		unknownTaiwan; Republic of China (ROC)
    		3462HINETDataCommunicationBusinessGroupTWfalse
    169.59.118.0
    		unknownUnited States
    		36351SOFTLAYERUSfalse
    12.27.146.188
    		unknownUnited States
    		22024SPLUNK-WESTUSfalse
    97.122.201.251
    		unknownUnited States
    		209CENTURYLINK-US-LEGACY-QWESTUSfalse
    92.14.197.234
    		unknownUnited Kingdom
    		13285OPALTELECOM-ASTalkTalkCommunicationsLimitedGBfalse
    43.200.189.55
    		unknownJapan4249LILLY-ASUSfalse
    135.214.247.4
    		unknownUnited States
    		797AMERITECH-ASUSfalse
    181.11.124.63
    		unknownArgentina
    		7303TelecomArgentinaSAARfalse
    148.116.96.162
    		unknownUnited States
    		396982GOOGLE-PRIVATE-CLOUDUSfalse
    218.247.19.102
    		unknownChina
    		17964DXTNETBeijingDian-Xin-TongNetworkTechnologiesCoLtdfalse
    92.169.155.202
    		unknownFrance
    		3215FranceTelecom-OrangeFRfalse
    255.11.112.220
    		unknownReserved
    		unknownunknownfalse
    245.3.184.52
    		unknownReserved
    		unknownunknownfalse
    186.218.250.229
    		unknownBrazil
    		28573CLAROSABRfalse
    163.1.73.189
    		unknownUnited Kingdom
    		786JANETJiscServicesLimitedGBfalse
    73.86.243.183
    		unknownUnited States
    		7922COMCAST-7922USfalse
    151.252.218.157
    		unknownGermany
    		34594OT-ASHRfalse
    133.70.198.186
    		unknownJapan24268SAINSNationalUniversityCorporationShizuokaUniversityJfalse
    252.36.231.194
    		unknownReserved
    		unknownunknownfalse
    32.185.230.127
    		unknownUnited States
    		20057ATT-MOBILITY-LLC-AS20057USfalse
    153.116.140.8
    		unknownUnited States
    		5501FRAUNHOFER-CLUSTER-BWResearchInstitutesspreadalloverGefalse
    135.41.207.147
    		unknownUnited States
    		54614CIKTELECOM-CABLECAfalse
    196.60.104.159
    		unknownunknown
    		37518FIBERGRIDSCfalse
    242.29.155.141
    		unknownReserved
    		unknownunknownfalse
    217.111.58.252
    		unknownGermany
    		8220COLTCOLTTechnologyServicesGroupLimitedGBfalse
    66.163.200.76
    		unknownCanada
    		15247RADIANT-VANCOUVERCAfalse
    242.164.138.231
    		unknownReserved
    		unknownunknownfalse
    145.4.3.32
    		unknownNetherlands
    		702UUNETUSfalse
    76.231.211.6
    		unknownUnited States
    		7018ATT-INTERNET4USfalse
    168.43.71.22
    		unknownUnited States
    		1761TDIR-CAPNETUSfalse
    75.229.27.80
    		unknownUnited States
    		22394CELLCOUSfalse
    174.102.62.195
    		unknownUnited States
    		10796TWC-10796-MIDWESTUSfalse
    210.113.80.162
    		unknownKorea Republic of
    		4766KIXS-AS-KRKoreaTelecomKRfalse
    217.137.54.23
    		unknownUnited Kingdom
    		5089NTLGBfalse
    152.25.134.106
    		unknownUnited States
    		81NCRENUSfalse
    180.144.209.43
    		unknownJapan17511OPTAGEOPTAGEIncJPfalse
    121.132.105.18
    		unknownKorea Republic of
    		4766KIXS-AS-KRKoreaTelecomKRfalse
    221.182.110.53
    		unknownChina
    		9808CMNET-GDGuangdongMobileCommunicationCoLtdCNfalse
    62.114.184.227
    		unknownEgypt
    		36992ETISALAT-MISREGfalse
    173.1.59.247
    		unknownUnited States
    		26228SERVEPATHUSfalse
    20.229.247.195
    		unknownUnited States
    		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
    27.117.29.102
    		unknownKorea Republic of
    		17857NAKDONGDIGITALBUSANNET-AS-KRTBroadKRfalse
    179.91.90.163
    		unknownBrazil
    		26599TELEFONICABRASILSABRfalse
    149.9.8.228
    		unknownUnited States
    		14987RETHEMHOSTINGUSfalse
    9.105.39.192
    		unknownUnited States
    		3356LEVEL3USfalse
    206.208.210.79
    		unknownUnited States
    		23177TNB-NETUSfalse
    164.196.212.57
    		unknownUnited States
    		2621DNIC-AS-02621USfalse
    103.234.82.181
    		unknownTaiwan; Republic of China (ROC)
    		17710PIINET-TWPresidentInformationCorpTWfalse
    167.145.94.0
    		unknownUnited States
    		25899LSNETUSfalse
    218.214.30.213
    		unknownAustralia
    		9443VOCUS-RETAIL-AUVocusRetailAUfalse
    173.70.19.21
    		unknownUnited States
    		701UUNETUSfalse
    246.36.186.129
    		unknownReserved
    		unknownunknownfalse
    201.231.42.137
    		unknownArgentina
    		10318TelecomArgentinaSAARfalse
    204.38.223.92
    		unknownUnited States
    		237MERIT-AS-14USfalse
    114.253.184.46
    		unknownChina
    		4808CHINA169-BJChinaUnicomBeijingProvinceNetworkCNfalse
    53.132.107.174
    		unknownGermany
    		31399DAIMLER-ASITIGNGlobalNetworkDEfalse
    172.73.89.126
    		unknownUnited States
    		11426TWC-11426-CAROLINASUSfalse
    242.199.130.227
    		unknownReserved
    		unknownunknownfalse
    93.207.9.129
    		unknownGermany
    		3320DTAGInternetserviceprovideroperationsDEfalse
    101.183.140.0
    		unknownAustralia
    		1221ASN-TELSTRATelstraCorporationLtdAUfalse
    187.210.99.34
    		unknownMexico
    		8151UninetSAdeCVMXfalse
    92.239.100.212
    		unknownUnited Kingdom
    		5089NTLGBfalse
    217.4.134.212
    		unknownGermany
    		3320DTAGInternetserviceprovideroperationsDEfalse
    123.87.18.189
    		unknownChina
    		9394CTTNETChinaTieTongTelecommunicationsCorporationCNfalse
    111.92.195.214
    		unknownSingapore
    		45814FARIYA-PKFariyaNetworksPvtLtdPKfalse
    160.131.191.99
    		unknownUnited States
    		8103STATE-OF-FLAUSfalse
    86.14.109.242
    		unknownUnited Kingdom
    		5089NTLGBfalse
    62.132.145.248
    		unknownGermany
    		286KPNNLfalse
    169.236.96.126
    		unknownUnited States
    		22323UNIVERSITY-OF-CALIFORNIA-MERCEDUSfalse
    16.128.90.19
    		unknownUnited States
    		unknownunknownfalse
    48.101.49.65
    		unknownUnited States
    		2686ATGS-MMD-ASUSfalse
    249.210.32.222
    		unknownReserved
    		unknownunknownfalse
    192.208.198.17
    		unknownUnited States
    		6336TURN-US-ASNUSfalse
    24.150.27.121
    		unknownCanada
    		7992COGECOWAVECAfalse
    166.8.131.144
    		unknownSwitzerland
    		11798ACEDATACENTERS-AS-1USfalse
    126.168.175.209
    		unknownJapan17676GIGAINFRASoftbankBBCorpJPfalse
    176.184.175.32
    		unknownFrance
    		5410BOUYGTEL-ISPFRfalse
    115.32.241.214
    		unknownChina
    		4766KIXS-AS-KRKoreaTelecomKRfalse
    182.75.16.142
    		unknownIndia
    		9498BBIL-APBHARTIAirtelLtdINfalse
    178.133.76.144
    		unknownUkraine
    		21497UMC-ASUAfalse
    176.99.56.112
    		unknownRussian Federation
    		59476ASROSINTRARUfalse
    90.251.212.225
    		unknownUnited Kingdom
    		5378VodafoneGBfalse
    84.240.96.11
    		unknownFinland
    		20904NETPLAZA-ASFIfalse
    179.185.47.165
    		unknownBrazil
    		18881TELEFONICABRASILSABRfalse
    1.142.198.68
    		unknownAustralia
    		1221ASN-TELSTRATelstraCorporationLtdAUfalse
    18.230.152.161
    		unknownUnited States
    		16509AMAZON-02USfalse
    123.71.229.193
    		unknownChina
    		9394CTTNETChinaTieTongTelecommunicationsCorporationCNfalse
    164.7.1.167
    		unknownFrance
    		44013SANDVIK-ASSEfalse
    151.95.224.211
    		unknownItaly
    		1267ASN-WINDTREIUNETEUfalse
    161.57.94.13
    		unknownUnited States
    		11206FSU-AS-1USfalse
    202.59.56.79
    		unknownAustralia
    		9667HOSTWORKS-AS-AP5GNETWORKOPERATIONSPTYLTDAUfalse
    90.205.72.173
    		unknownUnited Kingdom
    		5607BSKYB-BROADBAND-ASGBfalse
    250.66.202.98
    		unknownReserved
    		unknownunknownfalse
    252.72.1.224
    		unknownReserved
    		unknownunknownfalse
    37.182.231.163
    		unknownItaly
    		30722VODAFONE-IT-ASNITfalse
    192.195.38.207
    		unknownUnited States
    		63242AS-CMN-LSUSfalse
    194.192.108.56
    		unknownDenmark
    		3292TDCTDCASDKfalse
    126.212.237.5
    		unknownJapan17676GIGAINFRASoftbankBBCorpJPfalse
    109.54.105.56
    		unknownItaly
    		16232ASN-TIMServiceProviderITfalse
    192.243.129.241
    		unknownUnited States
    		22284AS22284-DOI-OPSUSfalse


    Runtime Messages

    Command:/tmp/9Q1fc1TZq4
    Exit Code:0
    Exit Code Info:
    Killed:False
    Standard Output:
    Connected To CNC
    Standard Error:

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
    Entropy (8bit):6.035748270293767
    TrID:
    • ELF Executable and Linkable format (generic) (4004/1) 100.00%
    File name:9Q1fc1TZq4
    File size:60412
    MD5:b192ed1edacfafee1a66012bfa2c45be
    SHA1:0a3451997f43964a25b203672441f3d4b615d224
    SHA256:b41bbb2bcc0d3106fd9767fe53f95329d4178ca48f3fdf700b80619b75207dba
    SHA512:6b4746660989827e03a6cbd51cf925d200e76368f9f792a7dd9dc0f0594410ea735af741d39f26fa48391f666270f39b81292a08f08f6c9e83670ab27137c1f4
    SSDEEP:768:eLobAxU6q9Hfymp0xginSYcCLUB6WsTwR11IQdszoDaS0O+DCDt:eL0AxvSHfymp0xgujcCLs6vTAIau6
    File Content Preview:.ELF...........................4...l.....4. ...(.......................................................x............dt.Q................................@..(....@.8R................#.....b0..`.....!..... ...@.....".........`......$ ... ...@...........`....

    Static ELF Info

    ELF header

    Class:ELF32
    Data:2's complement, big endian
    Version:1 (current)
    Machine:Sparc
    Version Number:0x1
    Type:EXEC (Executable file)
    OS/ABI:UNIX - System V
    ABI Version:0
    Entry Point Address:0x101a4
    Flags:0x0
    ELF Header Size:52
    Program Header Offset:52
    Program Header Size:32
    Number of Program Headers:3
    Section Header Offset:60012
    Section Header Size:40
    Number of Section Headers:10
    Header String Table Index:9

    Sections

    NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
    NULL0x00x00x00x00x0000
    .initPROGBITS0x100940x940x1c0x00x6AX004
    .textPROGBITS0x100b00xb00xe1800x00x6AX004
    .finiPROGBITS0x1e2300xe2300x140x00x6AX004
    .rodataPROGBITS0x1e2480xe2480x6680x00x2A008
    .ctorsPROGBITS0x2e8b40xe8b40x80x00x3WA004
    .dtorsPROGBITS0x2e8bc0xe8bc0x80x00x3WA004
    .dataPROGBITS0x2e8c80xe8c80x1640x00x3WA008
    .bssNOBITS0x2ea300xea2c0x2880x00x3WA008
    .shstrtabSTRTAB0x00xea2c0x3e0x00x0001

    Program Segments

    TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
    LOAD0x00x100000x100000xe8b00xe8b03.38860x5R E0x10000.init .text .fini .rodata
    LOAD0xe8b40x2e8b40x2e8b40x1780x4040.31830x6RW 0x10000.ctors .dtors .data .bss
    GNU_STACK0x00x00x00x00x00.00000x6RW 0x4

    Network Behavior

    Network Port Distribution

    TCP Packets

    TimestampSource PortDest PortSource IPDest IP
    Jan 15, 2022 01:39:14.585288048 CET514221312192.168.2.23136.144.41.15
    Jan 15, 2022 01:39:14.591449976 CET6398223192.168.2.2353.37.140.118
    Jan 15, 2022 01:39:14.591506958 CET6398223192.168.2.23255.11.92.225
    Jan 15, 2022 01:39:14.591541052 CET6398223192.168.2.23113.221.14.222
    Jan 15, 2022 01:39:14.591725111 CET6398223192.168.2.2391.198.138.229
    Jan 15, 2022 01:39:14.591742992 CET6398223192.168.2.2374.14.252.38
    Jan 15, 2022 01:39:14.591742992 CET6398223192.168.2.23186.169.215.12
    Jan 15, 2022 01:39:14.591751099 CET6398223192.168.2.2363.76.153.143
    Jan 15, 2022 01:39:14.591766119 CET6398223192.168.2.23242.192.94.231
    Jan 15, 2022 01:39:14.591779947 CET6398223192.168.2.2393.163.0.92
    Jan 15, 2022 01:39:14.591792107 CET6398223192.168.2.23213.10.119.209
    Jan 15, 2022 01:39:14.591799974 CET6398223192.168.2.23195.161.100.74
    Jan 15, 2022 01:39:14.591799021 CET6398223192.168.2.23197.39.20.72
    Jan 15, 2022 01:39:14.591799974 CET6398223192.168.2.23247.25.74.11
    Jan 15, 2022 01:39:14.591804981 CET6398223192.168.2.2338.132.7.100
    Jan 15, 2022 01:39:14.591809034 CET6398223192.168.2.23216.209.64.3
    Jan 15, 2022 01:39:14.591820002 CET6398223192.168.2.23189.183.132.53
    Jan 15, 2022 01:39:14.591825962 CET6398223192.168.2.23116.35.20.108
    Jan 15, 2022 01:39:14.591871977 CET6398223192.168.2.23159.3.178.38
    Jan 15, 2022 01:39:14.591880083 CET6398223192.168.2.23208.100.192.160
    Jan 15, 2022 01:39:14.591885090 CET6398223192.168.2.23254.75.83.64
    Jan 15, 2022 01:39:14.591892004 CET6398223192.168.2.23145.194.139.115
    Jan 15, 2022 01:39:14.591901064 CET6398223192.168.2.2366.109.87.165
    Jan 15, 2022 01:39:14.591908932 CET6398223192.168.2.2338.77.77.248
    Jan 15, 2022 01:39:14.591917038 CET6398223192.168.2.23208.64.53.186
    Jan 15, 2022 01:39:14.591944933 CET6398223192.168.2.23240.0.122.142
    Jan 15, 2022 01:39:14.591960907 CET6398223192.168.2.23110.206.250.86
    Jan 15, 2022 01:39:14.591964960 CET6398223192.168.2.23217.82.231.151
    Jan 15, 2022 01:39:14.591968060 CET6398223192.168.2.239.244.168.67
    Jan 15, 2022 01:39:14.592144012 CET6398223192.168.2.23193.36.181.109
    Jan 15, 2022 01:39:14.592154980 CET6398223192.168.2.23190.44.190.77
    Jan 15, 2022 01:39:14.592156887 CET6398223192.168.2.2391.122.52.12
    Jan 15, 2022 01:39:14.592159986 CET6398223192.168.2.2396.83.141.58
    Jan 15, 2022 01:39:14.592176914 CET6398223192.168.2.23164.146.71.67
    Jan 15, 2022 01:39:14.592179060 CET6398223192.168.2.23220.191.251.91
    Jan 15, 2022 01:39:14.592186928 CET6398223192.168.2.23125.61.48.223
    Jan 15, 2022 01:39:14.592206001 CET6398223192.168.2.2336.31.15.146
    Jan 15, 2022 01:39:14.592207909 CET6398223192.168.2.23116.35.210.80
    Jan 15, 2022 01:39:14.592210054 CET6398223192.168.2.2382.231.242.223
    Jan 15, 2022 01:39:14.592212915 CET6398223192.168.2.2331.151.38.122
    Jan 15, 2022 01:39:14.592214108 CET6398223192.168.2.23197.68.141.240
    Jan 15, 2022 01:39:14.592230082 CET6398223192.168.2.23122.102.241.146
    Jan 15, 2022 01:39:14.592232943 CET6398223192.168.2.2373.119.62.16
    Jan 15, 2022 01:39:14.592237949 CET6398223192.168.2.23174.134.34.4
    Jan 15, 2022 01:39:14.592247009 CET6398223192.168.2.23195.118.217.228
    Jan 15, 2022 01:39:14.592263937 CET6398223192.168.2.2389.162.79.119
    Jan 15, 2022 01:39:14.592271090 CET6398223192.168.2.23149.83.114.206
    Jan 15, 2022 01:39:14.592279911 CET6398223192.168.2.23160.55.69.168
    Jan 15, 2022 01:39:14.592292070 CET6398223192.168.2.23163.88.190.118
    Jan 15, 2022 01:39:14.592303038 CET6398223192.168.2.23185.44.206.173
    Jan 15, 2022 01:39:14.592323065 CET6398223192.168.2.23126.138.115.208
    Jan 15, 2022 01:39:14.592504025 CET6398223192.168.2.23150.207.88.146
    Jan 15, 2022 01:39:14.592505932 CET6398223192.168.2.23181.18.11.107
    Jan 15, 2022 01:39:14.592509031 CET6398223192.168.2.23130.245.201.199
    Jan 15, 2022 01:39:14.592518091 CET6398223192.168.2.23223.115.21.159
    Jan 15, 2022 01:39:14.592528105 CET6398223192.168.2.2357.24.106.253
    Jan 15, 2022 01:39:14.592528105 CET6398223192.168.2.23114.42.180.62
    Jan 15, 2022 01:39:14.592533112 CET6398223192.168.2.2367.43.255.167
    Jan 15, 2022 01:39:14.592536926 CET6398223192.168.2.23222.161.156.88
    Jan 15, 2022 01:39:14.592538118 CET6398223192.168.2.23164.165.21.113
    Jan 15, 2022 01:39:14.592561960 CET6398223192.168.2.23101.135.97.186
    Jan 15, 2022 01:39:14.592564106 CET6398223192.168.2.23198.193.23.98
    Jan 15, 2022 01:39:14.592571974 CET6398223192.168.2.23150.226.29.252
    Jan 15, 2022 01:39:14.592573881 CET6398223192.168.2.23249.124.154.224
    Jan 15, 2022 01:39:14.592586040 CET6398223192.168.2.23166.105.192.147
    Jan 15, 2022 01:39:14.592593908 CET6398223192.168.2.2391.65.78.96
    Jan 15, 2022 01:39:14.592596054 CET6398223192.168.2.2374.99.79.25
    Jan 15, 2022 01:39:14.592596054 CET6398223192.168.2.23198.104.192.37
    Jan 15, 2022 01:39:14.592602968 CET6398223192.168.2.23109.136.114.51
    Jan 15, 2022 01:39:14.592605114 CET6398223192.168.2.2373.225.182.82
    Jan 15, 2022 01:39:14.592611074 CET6398223192.168.2.2388.73.155.15
    Jan 15, 2022 01:39:14.592622042 CET6398223192.168.2.23212.126.21.253
    Jan 15, 2022 01:39:14.592636108 CET6398223192.168.2.23122.9.195.96
    Jan 15, 2022 01:39:14.592668056 CET6398223192.168.2.23104.112.182.236
    Jan 15, 2022 01:39:14.592678070 CET6398223192.168.2.23212.173.184.225
    Jan 15, 2022 01:39:14.592694998 CET6398223192.168.2.2388.36.180.22
    Jan 15, 2022 01:39:14.592705011 CET6398223192.168.2.23181.201.10.173
    Jan 15, 2022 01:39:14.592708111 CET6398223192.168.2.23198.130.161.31
    Jan 15, 2022 01:39:14.592720985 CET6398223192.168.2.23163.220.90.30
    Jan 15, 2022 01:39:14.592720985 CET6398223192.168.2.23211.151.162.64
    Jan 15, 2022 01:39:14.592731953 CET6398223192.168.2.23243.0.100.115
    Jan 15, 2022 01:39:14.592736959 CET6398223192.168.2.2367.37.171.17
    Jan 15, 2022 01:39:14.592740059 CET6398223192.168.2.2357.109.27.108
    Jan 15, 2022 01:39:14.592746973 CET6398223192.168.2.2395.60.99.105
    Jan 15, 2022 01:39:14.592909098 CET6398223192.168.2.23135.143.145.35
    Jan 15, 2022 01:39:14.592921019 CET6398223192.168.2.2369.99.141.225
    Jan 15, 2022 01:39:14.592930079 CET6398223192.168.2.23161.149.39.143
    Jan 15, 2022 01:39:14.592933893 CET6398223192.168.2.23191.235.36.247
    Jan 15, 2022 01:39:14.592936993 CET6398223192.168.2.23123.95.102.122
    Jan 15, 2022 01:39:14.592948914 CET6398223192.168.2.2371.165.239.92
    Jan 15, 2022 01:39:14.592956066 CET6398223192.168.2.23104.48.165.237
    Jan 15, 2022 01:39:14.592957973 CET6398223192.168.2.2316.217.252.235
    Jan 15, 2022 01:39:14.592962027 CET6398223192.168.2.23195.120.145.227
    Jan 15, 2022 01:39:14.592962980 CET6398223192.168.2.2343.183.241.31
    Jan 15, 2022 01:39:14.592967033 CET6398223192.168.2.2357.35.245.213
    Jan 15, 2022 01:39:14.592974901 CET6398223192.168.2.2340.55.40.94
    Jan 15, 2022 01:39:14.592977047 CET6398223192.168.2.23204.170.134.232
    Jan 15, 2022 01:39:14.592988968 CET6398223192.168.2.232.107.15.204
    Jan 15, 2022 01:39:14.592991114 CET6398223192.168.2.23175.213.55.214
    Jan 15, 2022 01:39:14.592992067 CET6398223192.168.2.2371.108.49.177

    System Behavior

    Analysis Process: 9Q1fc1TZq4 PID: 5222 Parent PID: 5109

    General

    Start time:01:39:14
    Start date:15/01/2022
    Path:/tmp/9Q1fc1TZq4
    Arguments:/tmp/9Q1fc1TZq4
    File size:4379400 bytes
    MD5 hash:7dc1c0e23cd5e102bb12e5c29403410e

    Analysis Process: 9Q1fc1TZq4 PID: 5224 Parent PID: 5222

    General

    Start time:01:39:14
    Start date:15/01/2022
    Path:/tmp/9Q1fc1TZq4
    Arguments:n/a
    File size:4379400 bytes
    MD5 hash:7dc1c0e23cd5e102bb12e5c29403410e

    Analysis Process: 9Q1fc1TZq4 PID: 5241 Parent PID: 5224

    General

    Start time:01:39:24
    Start date:15/01/2022
    Path:/tmp/9Q1fc1TZq4
    Arguments:n/a
    File size:4379400 bytes
    MD5 hash:7dc1c0e23cd5e102bb12e5c29403410e

    Analysis Process: 9Q1fc1TZq4 PID: 5243 Parent PID: 5224

    General

    Start time:01:39:24
    Start date:15/01/2022
    Path:/tmp/9Q1fc1TZq4
    Arguments:n/a
    File size:4379400 bytes
    MD5 hash:7dc1c0e23cd5e102bb12e5c29403410e

    Analysis Process: 9Q1fc1TZq4 PID: 5245 Parent PID: 5243

    General

    Start time:01:39:24
    Start date:15/01/2022
    Path:/tmp/9Q1fc1TZq4
    Arguments:n/a
    File size:4379400 bytes
    MD5 hash:7dc1c0e23cd5e102bb12e5c29403410e

    Analysis Process: 9Q1fc1TZq4 PID: 5251 Parent PID: 5245

    General

    Start time:01:39:24
    Start date:15/01/2022
    Path:/tmp/9Q1fc1TZq4
    Arguments:n/a
    File size:4379400 bytes
    MD5 hash:7dc1c0e23cd5e102bb12e5c29403410e

    Analysis Process: 9Q1fc1TZq4 PID: 5253 Parent PID: 5245

    General

    Start time:01:39:24
    Start date:15/01/2022
    Path:/tmp/9Q1fc1TZq4
    Arguments:n/a
    File size:4379400 bytes
    MD5 hash:7dc1c0e23cd5e102bb12e5c29403410e

    Analysis Process: 9Q1fc1TZq4 PID: 5248 Parent PID: 5243

    General

    Start time:01:39:24
    Start date:15/01/2022
    Path:/tmp/9Q1fc1TZq4
    Arguments:n/a
    File size:4379400 bytes
    MD5 hash:7dc1c0e23cd5e102bb12e5c29403410e

    Analysis Process: 9Q1fc1TZq4 PID: 5249 Parent PID: 5243

    General

    Start time:01:39:24
    Start date:15/01/2022
    Path:/tmp/9Q1fc1TZq4
    Arguments:n/a
    File size:4379400 bytes
    MD5 hash:7dc1c0e23cd5e102bb12e5c29403410e

    Analysis Process: 9Q1fc1TZq4 PID: 5225 Parent PID: 5222

    General

    Start time:01:39:14
    Start date:15/01/2022
    Path:/tmp/9Q1fc1TZq4
    Arguments:n/a
    File size:4379400 bytes
    MD5 hash:7dc1c0e23cd5e102bb12e5c29403410e

    Analysis Process: 9Q1fc1TZq4 PID: 5226 Parent PID: 5222

    General

    Start time:01:39:14
    Start date:15/01/2022
    Path:/tmp/9Q1fc1TZq4
    Arguments:n/a
    File size:4379400 bytes
    MD5 hash:7dc1c0e23cd5e102bb12e5c29403410e

    Analysis Process: 9Q1fc1TZq4 PID: 5229 Parent PID: 5226

    General

    Start time:01:39:14
    Start date:15/01/2022
    Path:/tmp/9Q1fc1TZq4
    Arguments:n/a
    File size:4379400 bytes
    MD5 hash:7dc1c0e23cd5e102bb12e5c29403410e

    Analysis Process: 9Q1fc1TZq4 PID: 5259 Parent PID: 5229

    General

    Start time:01:39:30
    Start date:15/01/2022
    Path:/tmp/9Q1fc1TZq4
    Arguments:n/a
    File size:4379400 bytes
    MD5 hash:7dc1c0e23cd5e102bb12e5c29403410e

    Analysis Process: 9Q1fc1TZq4 PID: 5261 Parent PID: 5229

    General

    Start time:01:39:30
    Start date:15/01/2022
    Path:/tmp/9Q1fc1TZq4
    Arguments:n/a
    File size:4379400 bytes
    MD5 hash:7dc1c0e23cd5e102bb12e5c29403410e

    Analysis Process: 9Q1fc1TZq4 PID: 5232 Parent PID: 5226

    General

    Start time:01:39:14
    Start date:15/01/2022
    Path:/tmp/9Q1fc1TZq4
    Arguments:n/a
    File size:4379400 bytes
    MD5 hash:7dc1c0e23cd5e102bb12e5c29403410e

    Analysis Process: 9Q1fc1TZq4 PID: 5235 Parent PID: 5226

    General

    Start time:01:39:14
    Start date:15/01/2022
    Path:/tmp/9Q1fc1TZq4
    Arguments:n/a
    File size:4379400 bytes
    MD5 hash:7dc1c0e23cd5e102bb12e5c29403410e