Edit tour

Linux Analysis Report
V15hQSZlC3

Overview

General Information

Sample Name:	V15hQSZlC3
Analysis ID:	557410
MD5:	75797bc071034cc54c68ae81e403096e
SHA1:	0a31fec94f3e33c040a27717d3e5bcfb43c97acb
SHA256:	eb1e72903ad912f0b7a2d20587fa4a2714f8adfc67b716c79dbdc781128dfa5b
Tags:	32elfmiraipowerpc
Infos:

Detection

Mirai

Score:	68
Range:	0 - 100
Whitelisted:	false

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Mirai

Multi AV Scanner detection for submitted file

Uses known network protocols on non-standard ports

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Executes the "rm" command used to delete files or directories

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Classification

Analysis Advice

All HTTP servers contacted by the sample do not answer. Likely the sample is an old dropper which does no longer work

Static ELF header machine description suggests that the sample might not execute correctly on this machine

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	557410
Start date:	21.01.2022
Start time:	04:07:16
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 41s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	V15hQSZlC3
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal68.troj.lin@0/0@0/0

Warnings

Report size exceeded maximum capacity and may have missing network information.
TCP Packets have been reduced to 100

Runtime Messages

Command:	/tmp/V15hQSZlC3
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	DaddyL33T Infected Your Shit
Standard Error:

Process Tree

system is lnxubuntu20

V15hQSZlC3 (PID: 5214, Parent: 5111, MD5: ae65271c943d3451b7f026d1fadccea6) Arguments: /tmp/V15hQSZlC3

V15hQSZlC3 New Fork (PID: 5216, Parent: 5214)

V15hQSZlC3 New Fork (PID: 5333, Parent: 5216)

V15hQSZlC3 New Fork (PID: 5334, Parent: 5216)

V15hQSZlC3 New Fork (PID: 5337, Parent: 5334)

V15hQSZlC3 New Fork (PID: 5347, Parent: 5337)

V15hQSZlC3 New Fork (PID: 5348, Parent: 5337)

V15hQSZlC3 New Fork (PID: 5339, Parent: 5334)

V15hQSZlC3 New Fork (PID: 5342, Parent: 5334)

V15hQSZlC3 New Fork (PID: 5217, Parent: 5214)

V15hQSZlC3 New Fork (PID: 5218, Parent: 5214)

V15hQSZlC3 New Fork (PID: 5222, Parent: 5218)

V15hQSZlC3 New Fork (PID: 5329, Parent: 5222)

V15hQSZlC3 New Fork (PID: 5330, Parent: 5222)

V15hQSZlC3 New Fork (PID: 5223, Parent: 5218)

V15hQSZlC3 New Fork (PID: 5224, Parent: 5218)

dash New Fork (PID: 5266, Parent: 4331)

rm (PID: 5266, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.mGBdYrIAjO /tmp/tmp.nilNg8yhqU /tmp/tmp.xo9oKnmcRG

cleanup

Yara Overview

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Mirai_12	Yara detected Mirai	Joe Security

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: V15hQSZlC3	Virustotal: Detection: 45%			Perma Link
Source: V15hQSZlC3	ReversingLabs: Detection: 55%

Networking

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 113.181.169.247:23 -> 192.168.2.23:41260
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 113.181.169.247:23 -> 192.168.2.23:41260
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:51094 -> 111.56.18.22:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.215.120.176:23 -> 192.168.2.23:40998
Source: Traffic	Snort IDS: 716 INFO TELNET access 42.127.190.140:23 -> 192.168.2.23:53976
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.215.120.176:23 -> 192.168.2.23:41020
Source: Traffic	Snort IDS: 716 INFO TELNET access 42.127.190.140:23 -> 192.168.2.23:53994
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.215.120.176:23 -> 192.168.2.23:41054
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.139.174.50:23 -> 192.168.2.23:40216
Source: Traffic	Snort IDS: 716 INFO TELNET access 42.127.190.140:23 -> 192.168.2.23:54038
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.139.174.50:23 -> 192.168.2.23:40224
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.139.174.50:23 -> 192.168.2.23:40236
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.139.174.50:23 -> 192.168.2.23:40250
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.139.174.50:23 -> 192.168.2.23:40270
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.139.174.50:23 -> 192.168.2.23:40272
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.139.174.50:23 -> 192.168.2.23:40274
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.215.120.176:23 -> 192.168.2.23:41124
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.139.174.50:23 -> 192.168.2.23:40278
Source: Traffic	Snort IDS: 716 INFO TELNET access 42.127.190.140:23 -> 192.168.2.23:54100
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.139.174.50:23 -> 192.168.2.23:40284
Source: Traffic	Snort IDS: 716 INFO TELNET access 61.139.174.50:23 -> 192.168.2.23:40290
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.215.120.176:23 -> 192.168.2.23:41144
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 113.181.169.247:23 -> 192.168.2.23:41508
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 113.181.169.247:23 -> 192.168.2.23:41508
Source: Traffic	Snort IDS: 716 INFO TELNET access 42.127.190.140:23 -> 192.168.2.23:54120
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:41144 -> 122.215.120.176:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.215.120.176:23 -> 192.168.2.23:41156
Source: Traffic	Snort IDS: 716 INFO TELNET access 42.127.190.140:23 -> 192.168.2.23:54132
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.215.120.176:23 -> 192.168.2.23:41170
Source: Traffic	Snort IDS: 716 INFO TELNET access 42.127.190.140:23 -> 192.168.2.23:54146
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 72.43.174.43:23 -> 192.168.2.23:51456
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 72.43.174.43:23 -> 192.168.2.23:51456
Source: Traffic	Snort IDS: 716 INFO TELNET access 42.127.190.140:23 -> 192.168.2.23:54154
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.215.120.176:23 -> 192.168.2.23:41186
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 114.33.131.208:23 -> 192.168.2.23:59242
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 114.33.131.208:23 -> 192.168.2.23:59242
Source: Traffic	Snort IDS: 716 INFO TELNET access 42.127.190.140:23 -> 192.168.2.23:54166
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.215.120.176:23 -> 192.168.2.23:41216
Source: Traffic	Snort IDS: 716 INFO TELNET access 42.101.44.226:23 -> 192.168.2.23:45382
Source: Traffic	Snort IDS: 716 INFO TELNET access 114.37.101.206:23 -> 192.168.2.23:45366
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 42.101.44.226:23 -> 192.168.2.23:45382
Source: Traffic	Snort IDS: 716 INFO TELNET access 42.127.190.140:23 -> 192.168.2.23:54200
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 72.43.174.43:23 -> 192.168.2.23:51510
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 72.43.174.43:23 -> 192.168.2.23:51510
Source: Traffic	Snort IDS: 716 INFO TELNET access 122.215.120.176:23 -> 192.168.2.23:41232
Source: Traffic	Snort IDS: 716 INFO TELNET access 42.101.44.226:23 -> 192.168.2.23:45404
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 114.37.101.206:23 -> 192.168.2.23:45366
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 114.37.101.206:23 -> 192.168.2.23:45366
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 212.164.221.19:23 -> 192.168.2.23:56066
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 212.164.221.19:23 -> 192.168.2.23:56066
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 42.101.44.226:23 -> 192.168.2.23:45404
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 114.33.131.208:23 -> 192.168.2.23:59306
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 114.33.131.208:23 -> 192.168.2.23:59306
Source: Traffic	Snort IDS: 716 INFO TELNET access 42.101.44.226:23 -> 192.168.2.23:45446
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 42.101.44.226:23 -> 192.168.2.23:45446
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 212.164.221.19:23 -> 192.168.2.23:56094
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 212.164.221.19:23 -> 192.168.2.23:56094
Source: Traffic	Snort IDS: 716 INFO TELNET access 42.101.44.226:23 -> 192.168.2.23:45516
Source: Traffic	Snort IDS: 716 INFO TELNET access 114.37.101.206:23 -> 192.168.2.23:45522
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 42.101.44.226:23 -> 192.168.2.23:45516
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 212.164.221.19:23 -> 192.168.2.23:56192
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 212.164.221.19:23 -> 192.168.2.23:56192
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 113.181.169.247:23 -> 192.168.2.23:41750
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 113.181.169.247:23 -> 192.168.2.23:41750
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 114.37.101.206:23 -> 192.168.2.23:45522
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 114.37.101.206:23 -> 192.168.2.23:45522
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 114.33.131.208:23 -> 192.168.2.23:59456
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 114.33.131.208:23 -> 192.168.2.23:59456
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 212.164.221.19:23 -> 192.168.2.23:56248
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 212.164.221.19:23 -> 192.168.2.23:56248
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 112.225.78.4:23 -> 192.168.2.23:59880
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 212.164.221.19:23 -> 192.168.2.23:56280
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 212.164.221.19:23 -> 192.168.2.23:56280
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 14.172.249.60:23 -> 192.168.2.23:54418
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 14.172.249.60:23 -> 192.168.2.23:54418
Source: Traffic	Snort IDS: 716 INFO TELNET access 114.37.101.206:23 -> 192.168.2.23:45630
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 114.37.101.206:23 -> 192.168.2.23:45630
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 114.37.101.206:23 -> 192.168.2.23:45630
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 114.33.131.208:23 -> 192.168.2.23:59572
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 114.33.131.208:23 -> 192.168.2.23:59572
Source: Traffic	Snort IDS: 716 INFO TELNET access 114.37.101.206:23 -> 192.168.2.23:45680
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 114.37.101.206:23 -> 192.168.2.23:45680
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 114.37.101.206:23 -> 192.168.2.23:45680
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 114.33.131.208:23 -> 192.168.2.23:59612
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 114.33.131.208:23 -> 192.168.2.23:59612
Source: Traffic	Snort IDS: 716 INFO TELNET access 42.101.44.226:23 -> 192.168.2.23:45718
Source: Traffic	Snort IDS: 716 INFO TELNET access 89.143.158.252:23 -> 192.168.2.23:35048
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 89.143.158.252:23 -> 192.168.2.23:35048
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 89.143.158.252:23 -> 192.168.2.23:35048
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 42.101.44.226:23 -> 192.168.2.23:45718
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 176.62.12.12:23 -> 192.168.2.23:49880
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 176.62.12.12:23 -> 192.168.2.23:49880
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 113.181.169.247:23 -> 192.168.2.23:41954
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 113.181.169.247:23 -> 192.168.2.23:41954
Source: Traffic	Snort IDS: 716 INFO TELNET access 114.37.101.206:23 -> 192.168.2.23:45754
Source: Traffic	Snort IDS: 716 INFO TELNET access 42.101.44.226:23 -> 192.168.2.23:45784
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 114.37.101.206:23 -> 192.168.2.23:45754
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 114.37.101.206:23 -> 192.168.2.23:45754
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 112.225.78.4:23 -> 192.168.2.23:60076
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 42.101.44.226:23 -> 192.168.2.23:45784
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 114.33.131.208:23 -> 192.168.2.23:59688
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 114.33.131.208:23 -> 192.168.2.23:59688
Source: Traffic	Snort IDS: 716 INFO TELNET access 42.101.44.226:23 -> 192.168.2.23:45830
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 14.172.249.60:23 -> 192.168.2.23:54632
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 14.172.249.60:23 -> 192.168.2.23:54632
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 42.101.44.226:23 -> 192.168.2.23:45830
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 120.126.122.47:23 -> 192.168.2.23:45038
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 120.126.122.47:23 -> 192.168.2.23:45038
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 183.250.83.248:23 -> 192.168.2.23:57058
Source: Traffic	Snort IDS: 716 INFO TELNET access 114.37.101.206:23 -> 192.168.2.23:45880
Source: Traffic	Snort IDS: 716 INFO TELNET access 42.101.44.226:23 -> 192.168.2.23:45894
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 42.101.44.226:23 -> 192.168.2.23:45894
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 110.255.113.247:23 -> 192.168.2.23:58576
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 110.255.113.247:23 -> 192.168.2.23:58576
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 114.37.101.206:23 -> 192.168.2.23:45880
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 114.37.101.206:23 -> 192.168.2.23:45880
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 114.33.131.208:23 -> 192.168.2.23:59824
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 114.33.131.208:23 -> 192.168.2.23:59824
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 183.250.83.248:23 -> 192.168.2.23:57148
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 120.126.122.47:23 -> 192.168.2.23:45148
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 120.126.122.47:23 -> 192.168.2.23:45148
Source: Traffic	Snort IDS: 716 INFO TELNET access 114.37.101.206:23 -> 192.168.2.23:45952
Source: Traffic	Snort IDS: 716 INFO TELNET access 89.143.158.252:23 -> 192.168.2.23:35282
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 89.143.158.252:23 -> 192.168.2.23:35282
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 89.143.158.252:23 -> 192.168.2.23:35282
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 110.255.113.247:23 -> 192.168.2.23:58642
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 110.255.113.247:23 -> 192.168.2.23:58642
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 114.37.101.206:23 -> 192.168.2.23:45952
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 114.37.101.206:23 -> 192.168.2.23:45952
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 176.62.12.12:23 -> 192.168.2.23:50114
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 176.62.12.12:23 -> 192.168.2.23:50114
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 114.33.131.208:23 -> 192.168.2.23:59886
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 114.33.131.208:23 -> 192.168.2.23:59886
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 183.250.83.248:23 -> 192.168.2.23:57178
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 113.181.169.247:23 -> 192.168.2.23:42194
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 113.181.169.247:23 -> 192.168.2.23:42194
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 183.250.83.248:23 -> 192.168.2.23:57186
Source: Traffic	Snort IDS: 716 INFO TELNET access 114.37.101.206:23 -> 192.168.2.23:45976
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 110.255.113.247:23 -> 192.168.2.23:58666
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 110.255.113.247:23 -> 192.168.2.23:58666
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 120.126.122.47:23 -> 192.168.2.23:45222
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 120.126.122.47:23 -> 192.168.2.23:45222
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 114.37.101.206:23 -> 192.168.2.23:45976
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 114.37.101.206:23 -> 192.168.2.23:45976
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 114.33.131.208:23 -> 192.168.2.23:59908
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 114.33.131.208:23 -> 192.168.2.23:59908
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 14.247.45.132:23 -> 192.168.2.23:45092
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 14.247.45.132:23 -> 192.168.2.23:45092
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:57214 -> 183.250.83.248:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 14.172.249.60:23 -> 192.168.2.23:54810
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 14.172.249.60:23 -> 192.168.2.23:54810
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 183.250.83.248:23 -> 192.168.2.23:57214
Source: Traffic	Snort IDS: 716 INFO TELNET access 42.101.44.226:23 -> 192.168.2.23:46036
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 42.101.44.226:23 -> 192.168.2.23:46036
Source: Traffic	Snort IDS: 716 INFO TELNET access 42.101.44.226:23 -> 192.168.2.23:46092
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 120.126.122.47:23 -> 192.168.2.23:45264
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 120.126.122.47:23 -> 192.168.2.23:45264
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 110.255.113.247:23 -> 192.168.2.23:58730
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 110.255.113.247:23 -> 192.168.2.23:58730
Source: Traffic	Snort IDS: 716 INFO TELNET access 114.37.101.206:23 -> 192.168.2.23:46080
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 42.101.44.226:23 -> 192.168.2.23:46092
Source: Traffic	Snort IDS: 716 INFO TELNET access 89.143.158.252:23 -> 192.168.2.23:35482
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 114.37.101.206:23 -> 192.168.2.23:46080
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 114.37.101.206:23 -> 192.168.2.23:46080
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 89.143.158.252:23 -> 192.168.2.23:35482
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 89.143.158.252:23 -> 192.168.2.23:35482
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 114.33.131.208:23 -> 192.168.2.23:60034
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 114.33.131.208:23 -> 192.168.2.23:60034
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 183.250.83.248:23 -> 192.168.2.23:57364
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 123.17.183.66:23 -> 192.168.2.23:36736
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 123.17.183.66:23 -> 192.168.2.23:36736
Source: Traffic	Snort IDS: 716 INFO TELNET access 102.22.90.4:23 -> 192.168.2.23:57862
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 222.254.174.249:23 -> 192.168.2.23:46024
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 222.254.174.249:23 -> 192.168.2.23:46024
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 110.255.113.247:23 -> 192.168.2.23:58970
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 110.255.113.247:23 -> 192.168.2.23:58970
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 176.62.12.12:23 -> 192.168.2.23:50514
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 176.62.12.12:23 -> 192.168.2.23:50514
Source: Traffic	Snort IDS: 716 INFO TELNET access 114.37.101.206:23 -> 192.168.2.23:46398
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 112.225.78.4:23 -> 192.168.2.23:60584
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 120.126.122.47:23 -> 192.168.2.23:45380
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 120.126.122.47:23 -> 192.168.2.23:45380
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 113.162.85.186:23 -> 192.168.2.23:42770
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 113.162.85.186:23 -> 192.168.2.23:42770
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 114.37.101.206:23 -> 192.168.2.23:46398
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 114.37.101.206:23 -> 192.168.2.23:46398
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 113.181.169.247:23 -> 192.168.2.23:42694
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 113.181.169.247:23 -> 192.168.2.23:42694
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 183.250.83.248:23 -> 192.168.2.23:57676
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:59224 -> 110.255.113.247:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 200.206.124.89:23 -> 192.168.2.23:60480
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 200.206.124.89:23 -> 192.168.2.23:60480
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:60092 -> 201.190.230.225:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 110.255.113.247:23 -> 192.168.2.23:59224
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 110.255.113.247:23 -> 192.168.2.23:59224
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.84.4:23 -> 192.168.2.23:44030
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.84.4:23 -> 192.168.2.23:44078
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.84.4:23 -> 192.168.2.23:44100
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.182.79.15:23 -> 192.168.2.23:48478
Source: Traffic	Snort IDS: 716 INFO TELNET access 148.0.69.203:23 -> 192.168.2.23:55788
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 118.44.8.8:23 -> 192.168.2.23:57790
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 118.44.8.8:23 -> 192.168.2.23:57790
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 14.172.249.60:23 -> 192.168.2.23:55538
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 14.172.249.60:23 -> 192.168.2.23:55538
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.84.4:23 -> 192.168.2.23:44158
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 120.126.122.47:23 -> 192.168.2.23:45756
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 120.126.122.47:23 -> 192.168.2.23:45756
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 14.247.45.132:23 -> 192.168.2.23:45824
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 14.247.45.132:23 -> 192.168.2.23:45824
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 183.250.83.248:23 -> 192.168.2.23:57976
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.84.4:23 -> 192.168.2.23:44182
Source: Traffic	Snort IDS: 716 INFO TELNET access 148.0.69.203:23 -> 192.168.2.23:55854
Source: Traffic	Snort IDS: 716 INFO TELNET access 178.207.84.4:23 -> 192.168.2.23:44208

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58556
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58560
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58562
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58566
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58568
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58572
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58576
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58578
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58582
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58584
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60888
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60902
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60912
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60918
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60922
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60926
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60934
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60938
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60952
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60954
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45276
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45310
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45328
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45346
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45362
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45370
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45378
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45386
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45390
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45398

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:39338 -> 34.249.145.219:443

Source: global traffic

TCP traffic: 192.168.2.23:59584 -> 45.88.181.48:420

Source: /tmp/V15hQSZlC3 (PID: 5216)	Socket: 0.0.0.0::0
Source: /tmp/V15hQSZlC3 (PID: 5216)	Socket: 0.0.0.0::23
Source: /tmp/V15hQSZlC3 (PID: 5216)	Socket: 0.0.0.0::53413
Source: /tmp/V15hQSZlC3 (PID: 5216)	Socket: 0.0.0.0::80
Source: /tmp/V15hQSZlC3 (PID: 5216)	Socket: 0.0.0.0::52869
Source: /tmp/V15hQSZlC3 (PID: 5216)	Socket: 0.0.0.0::37215
Source: /tmp/V15hQSZlC3 (PID: 5222)	Socket: 0.0.0.0::0

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 39338 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 45.88.181.48
Source: unknown	TCP traffic detected without corresponding DNS query: 142.59.62.186
Source: unknown	TCP traffic detected without corresponding DNS query: 201.76.14.186
Source: unknown	TCP traffic detected without corresponding DNS query: 20.170.152.184
Source: unknown	TCP traffic detected without corresponding DNS query: 14.255.254.123
Source: unknown	TCP traffic detected without corresponding DNS query: 71.187.73.190
Source: unknown	TCP traffic detected without corresponding DNS query: 212.134.160.228
Source: unknown	TCP traffic detected without corresponding DNS query: 102.41.52.117
Source: unknown	TCP traffic detected without corresponding DNS query: 145.159.24.173
Source: unknown	TCP traffic detected without corresponding DNS query: 176.176.230.226
Source: unknown	TCP traffic detected without corresponding DNS query: 70.251.140.222
Source: unknown	TCP traffic detected without corresponding DNS query: 253.232.13.42
Source: unknown	TCP traffic detected without corresponding DNS query: 88.73.12.95
Source: unknown	TCP traffic detected without corresponding DNS query: 160.201.1.231
Source: unknown	TCP traffic detected without corresponding DNS query: 165.206.89.154
Source: unknown	TCP traffic detected without corresponding DNS query: 20.168.42.139
Source: unknown	TCP traffic detected without corresponding DNS query: 207.80.133.59
Source: unknown	TCP traffic detected without corresponding DNS query: 165.84.40.108
Source: unknown	TCP traffic detected without corresponding DNS query: 79.86.2.146
Source: unknown	TCP traffic detected without corresponding DNS query: 38.170.185.216
Source: unknown	TCP traffic detected without corresponding DNS query: 168.113.3.244
Source: unknown	TCP traffic detected without corresponding DNS query: 221.90.144.193
Source: unknown	TCP traffic detected without corresponding DNS query: 109.1.39.41
Source: unknown	TCP traffic detected without corresponding DNS query: 130.36.118.203
Source: unknown	TCP traffic detected without corresponding DNS query: 168.183.30.167
Source: unknown	TCP traffic detected without corresponding DNS query: 183.30.34.55
Source: unknown	TCP traffic detected without corresponding DNS query: 240.217.252.83
Source: unknown	TCP traffic detected without corresponding DNS query: 63.51.64.139
Source: unknown	TCP traffic detected without corresponding DNS query: 212.78.72.137
Source: unknown	TCP traffic detected without corresponding DNS query: 104.196.142.95
Source: unknown	TCP traffic detected without corresponding DNS query: 201.29.123.227
Source: unknown	TCP traffic detected without corresponding DNS query: 67.41.56.215
Source: unknown	TCP traffic detected without corresponding DNS query: 177.176.53.134
Source: unknown	TCP traffic detected without corresponding DNS query: 58.1.156.56
Source: unknown	TCP traffic detected without corresponding DNS query: 255.153.143.117
Source: unknown	TCP traffic detected without corresponding DNS query: 249.251.234.65
Source: unknown	TCP traffic detected without corresponding DNS query: 153.148.176.191
Source: unknown	TCP traffic detected without corresponding DNS query: 104.31.66.77
Source: unknown	TCP traffic detected without corresponding DNS query: 101.220.241.13
Source: unknown	TCP traffic detected without corresponding DNS query: 118.159.28.2
Source: unknown	TCP traffic detected without corresponding DNS query: 195.185.132.146
Source: unknown	TCP traffic detected without corresponding DNS query: 190.84.154.34
Source: unknown	TCP traffic detected without corresponding DNS query: 204.222.141.83
Source: unknown	TCP traffic detected without corresponding DNS query: 5.27.147.122
Source: unknown	TCP traffic detected without corresponding DNS query: 219.64.69.142
Source: unknown	TCP traffic detected without corresponding DNS query: 116.248.234.113
Source: unknown	TCP traffic detected without corresponding DNS query: 243.144.242.171
Source: unknown	TCP traffic detected without corresponding DNS query: 67.99.13.246

Source: ELF static info symbol of initial sample

.symtab present: no

Source: /tmp/V15hQSZlC3 (PID: 5216)	SIGKILL sent: pid: 936, result: successful
Source: /tmp/V15hQSZlC3 (PID: 5222)	SIGKILL sent: pid: 936, result: successful

Source: classification engine

Classification label: mal68.troj.lin@0/0@0/0

Source: /tmp/V15hQSZlC3 (PID: 5222)	File opened: /proc/491/fd
Source: /tmp/V15hQSZlC3 (PID: 5222)	File opened: /proc/793/fd
Source: /tmp/V15hQSZlC3 (PID: 5222)	File opened: /proc/772/fd
Source: /tmp/V15hQSZlC3 (PID: 5222)	File opened: /proc/796/fd
Source: /tmp/V15hQSZlC3 (PID: 5222)	File opened: /proc/774/fd
Source: /tmp/V15hQSZlC3 (PID: 5222)	File opened: /proc/797/fd
Source: /tmp/V15hQSZlC3 (PID: 5222)	File opened: /proc/777/fd
Source: /tmp/V15hQSZlC3 (PID: 5222)	File opened: /proc/799/fd
Source: /tmp/V15hQSZlC3 (PID: 5222)	File opened: /proc/658/fd
Source: /tmp/V15hQSZlC3 (PID: 5222)	File opened: /proc/912/fd
Source: /tmp/V15hQSZlC3 (PID: 5222)	File opened: /proc/759/fd
Source: /tmp/V15hQSZlC3 (PID: 5222)	File opened: /proc/936/fd
Source: /tmp/V15hQSZlC3 (PID: 5222)	File opened: /proc/918/fd
Source: /tmp/V15hQSZlC3 (PID: 5222)	File opened: /proc/1/fd
Source: /tmp/V15hQSZlC3 (PID: 5222)	File opened: /proc/761/fd
Source: /tmp/V15hQSZlC3 (PID: 5222)	File opened: /proc/785/fd
Source: /tmp/V15hQSZlC3 (PID: 5222)	File opened: /proc/884/fd
Source: /tmp/V15hQSZlC3 (PID: 5222)	File opened: /proc/720/fd
Source: /tmp/V15hQSZlC3 (PID: 5222)	File opened: /proc/721/fd
Source: /tmp/V15hQSZlC3 (PID: 5222)	File opened: /proc/788/fd
Source: /tmp/V15hQSZlC3 (PID: 5222)	File opened: /proc/789/fd
Source: /tmp/V15hQSZlC3 (PID: 5222)	File opened: /proc/800/fd
Source: /tmp/V15hQSZlC3 (PID: 5222)	File opened: /proc/801/fd
Source: /tmp/V15hQSZlC3 (PID: 5222)	File opened: /proc/847/fd
Source: /tmp/V15hQSZlC3 (PID: 5222)	File opened: /proc/904/fd
Source: /tmp/V15hQSZlC3 (PID: 5216)	File opened: /proc/491/fd
Source: /tmp/V15hQSZlC3 (PID: 5216)	File opened: /proc/793/fd
Source: /tmp/V15hQSZlC3 (PID: 5216)	File opened: /proc/772/fd
Source: /tmp/V15hQSZlC3 (PID: 5216)	File opened: /proc/796/fd
Source: /tmp/V15hQSZlC3 (PID: 5216)	File opened: /proc/774/fd
Source: /tmp/V15hQSZlC3 (PID: 5216)	File opened: /proc/797/fd
Source: /tmp/V15hQSZlC3 (PID: 5216)	File opened: /proc/777/fd
Source: /tmp/V15hQSZlC3 (PID: 5216)	File opened: /proc/799/fd
Source: /tmp/V15hQSZlC3 (PID: 5216)	File opened: /proc/658/fd
Source: /tmp/V15hQSZlC3 (PID: 5216)	File opened: /proc/912/fd
Source: /tmp/V15hQSZlC3 (PID: 5216)	File opened: /proc/759/fd
Source: /tmp/V15hQSZlC3 (PID: 5216)	File opened: /proc/936/fd
Source: /tmp/V15hQSZlC3 (PID: 5216)	File opened: /proc/918/fd
Source: /tmp/V15hQSZlC3 (PID: 5216)	File opened: /proc/1/fd
Source: /tmp/V15hQSZlC3 (PID: 5216)	File opened: /proc/761/fd
Source: /tmp/V15hQSZlC3 (PID: 5216)	File opened: /proc/785/fd
Source: /tmp/V15hQSZlC3 (PID: 5216)	File opened: /proc/884/fd
Source: /tmp/V15hQSZlC3 (PID: 5216)	File opened: /proc/720/fd
Source: /tmp/V15hQSZlC3 (PID: 5216)	File opened: /proc/721/fd
Source: /tmp/V15hQSZlC3 (PID: 5216)	File opened: /proc/788/fd
Source: /tmp/V15hQSZlC3 (PID: 5216)	File opened: /proc/789/fd
Source: /tmp/V15hQSZlC3 (PID: 5216)	File opened: /proc/800/fd
Source: /tmp/V15hQSZlC3 (PID: 5216)	File opened: /proc/801/fd
Source: /tmp/V15hQSZlC3 (PID: 5216)	File opened: /proc/847/fd
Source: /tmp/V15hQSZlC3 (PID: 5216)	File opened: /proc/904/fd

Source: /usr/bin/dash (PID: 5266)

Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.mGBdYrIAjO /tmp/tmp.nilNg8yhqU /tmp/tmp.xo9oKnmcRG

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58556
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58560
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58562
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58566
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58568
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58572
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58576
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58578
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58582
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 58584
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60888
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60902
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60912
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60918
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60922
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60926
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60934
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60938
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60952
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60954
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45276
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45310
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45328
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45346
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45362
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45370
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45378
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45386
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45390
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 45398

Source: /tmp/V15hQSZlC3 (PID: 5214)

Queries kernel information via 'uname':

Source: V15hQSZlC3, 5214.1.00000000455a3f65.000000006d4d273d.rw-.sdmp, V15hQSZlC3, 5216.1.00000000455a3f65.000000006d4d273d.rw-.sdmp, V15hQSZlC3, 5333.1.00000000455a3f65.000000006d4d273d.rw-.sdmp, V15hQSZlC3, 5347.1.00000000455a3f65.000000006d4d273d.rw-.sdmp, V15hQSZlC3, 5339.1.00000000455a3f65.000000006d4d273d.rw-.sdmp, V15hQSZlC3, 5217.1.00000000455a3f65.000000006d4d273d.rw-.sdmp, V15hQSZlC3, 5329.1.00000000455a3f65.000000006d4d273d.rw-.sdmp, V15hQSZlC3, 5223.1.00000000455a3f65.000000006d4d273d.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-ppc/tmp/V15hQSZlC3SUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/V15hQSZlC3
Source: V15hQSZlC3, 5214.1.0000000031fb7ce5.0000000009a2b56e.rw-.sdmp	Binary or memory string: !/etc/qemu-binfmt/ppc11!hotpluggableq
Source: V15hQSZlC3, 5216.1.0000000031fb7ce5.0000000009a2b56e.rw-.sdmp, V15hQSZlC3, 5333.1.0000000031fb7ce5.0000000009a2b56e.rw-.sdmp, V15hQSZlC3, 5347.1.0000000031fb7ce5.0000000009a2b56e.rw-.sdmp, V15hQSZlC3, 5339.1.0000000031fb7ce5.0000000009a2b56e.rw-.sdmp, V15hQSZlC3, 5217.1.0000000031fb7ce5.0000000009a2b56e.rw-.sdmp, V15hQSZlC3, 5329.1.0000000031fb7ce5.0000000009a2b56e.rw-.sdmp, V15hQSZlC3, 5223.1.0000000031fb7ce5.0000000009a2b56e.rw-.sdmp	Binary or memory string: !/etc/qemu-binfmt/ppc1
Source: V15hQSZlC3, 5214.1.0000000031fb7ce5.0000000009a2b56e.rw-.sdmp, V15hQSZlC3, 5216.1.0000000031fb7ce5.0000000009a2b56e.rw-.sdmp, V15hQSZlC3, 5333.1.0000000031fb7ce5.0000000009a2b56e.rw-.sdmp, V15hQSZlC3, 5347.1.0000000031fb7ce5.0000000009a2b56e.rw-.sdmp, V15hQSZlC3, 5339.1.0000000031fb7ce5.0000000009a2b56e.rw-.sdmp, V15hQSZlC3, 5217.1.0000000031fb7ce5.0000000009a2b56e.rw-.sdmp, V15hQSZlC3, 5329.1.0000000031fb7ce5.0000000009a2b56e.rw-.sdmp, V15hQSZlC3, 5223.1.0000000031fb7ce5.0000000009a2b56e.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/ppc
Source: V15hQSZlC3, 5214.1.00000000455a3f65.000000006d4d273d.rw-.sdmp, V15hQSZlC3, 5216.1.00000000455a3f65.000000006d4d273d.rw-.sdmp, V15hQSZlC3, 5333.1.00000000455a3f65.000000006d4d273d.rw-.sdmp, V15hQSZlC3, 5347.1.00000000455a3f65.000000006d4d273d.rw-.sdmp, V15hQSZlC3, 5339.1.00000000455a3f65.000000006d4d273d.rw-.sdmp, V15hQSZlC3, 5217.1.00000000455a3f65.000000006d4d273d.rw-.sdmp, V15hQSZlC3, 5329.1.00000000455a3f65.000000006d4d273d.rw-.sdmp, V15hQSZlC3, 5223.1.00000000455a3f65.000000006d4d273d.rw-.sdmp	Binary or memory string: /usr/bin/qemu-ppc

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 File Deletion	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	11 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
V15hQSZlC3	46%	Virustotal		Browse
V15hQSZlC3	56%	ReversingLabs	Linux.Trojan.Mirai

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
219.43.156.34	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
4.83.244.200	unknown	United States	3356	LEVEL3US	false
154.3.74.146	unknown	United States	174	COGENT-174US	false
240.230.248.86	unknown	Reserved	unknown	unknown	false
88.167.1.133	unknown	France	12322	PROXADFR	false
177.73.222.160	unknown	unknown	262573	GILMARDOSSANTOSCIALTDABR	false
110.152.176.194	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
86.148.62.142	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	false
93.172.23.62	unknown	Israel	1680	NV-ASNCELLCOMltdIL	false
168.237.2.178	unknown	United States	3136	STATE-OF-WISCONSIN-AS1US	false
175.94.198.188	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
179.79.229.167	unknown	Brazil	26615	TIMSABR	false
42.73.166.23	unknown	Taiwan; Republic of China (ROC)	17421	EMOME-NETMobileBusinessGroupTW	false
211.148.32.11	unknown	China	4812	CHINANET-SH-APChinaTelecomGroupCN	false
32.92.242.241	unknown	United States	2686	ATGS-MMD-ASUS	false
125.88.90.212	unknown	China	4813	BACKBONE-GUANGDONG-APChinaTelecomGroupCN	false
193.33.248.121	unknown	United Kingdom	25180	EXPONENTIAL-E-ASGB	false
145.145.137.23	unknown	Netherlands	1103	SURFNET-NLSURFnetTheNetherlandsNL	false
168.51.160.215	unknown	United States	1761	TDIR-CAPNETUS	false
65.32.66.139	unknown	United States	33363	BHN-33363US	false
130.175.68.167	unknown	United States	12173	UAUS	false
67.118.202.168	unknown	United States	11191	F2W-ASUS	false
133.118.92.177	unknown	Japan	2522	PPP-EXPJapanNetworkInformationCenterJP	false
64.9.242.239	unknown	United States	36492	GOOGLEWIFIUS	false
89.30.228.114	unknown	Netherlands	25525	REASONNET-ASAmsterdamtheNetherlandsNL	false
111.151.13.250	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
154.97.229.193	unknown	Sudan	36998	SDN-MOBITELSD	false
186.165.99.66	unknown	Venezuela	21575	ENTELPERUSAPE	false
38.169.105.64	unknown	United States	174	COGENT-174US	false
66.79.7.42	unknown	United States	22561	CENTURYLINK-LEGACY-LIGHTCOREUS	false
252.130.173.94	unknown	Reserved	unknown	unknown	false
130.255.35.230	unknown	Russian Federation	39812	KAMENSKTEL-ASPobedyStr37bKamensk-UralskyRU	false
145.209.118.214	unknown	Netherlands	1101	IP-EEND-ASIP-EENDBVNL	false
151.214.52.31	unknown	United States	11003	PANDGUS	false
80.14.1.195	unknown	France	3215	FranceTelecom-OrangeFR	false
191.242.141.211	unknown	Brazil	262730	BytewebComunicacaoMultimidiaLtdaBR	false
190.128.73.12	unknown	Colombia	13489	EPMTelecomunicacionesSAESPCO	false
169.184.22.144	unknown	United States	37611	AfrihostZA	false
75.160.134.191	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	false
1.79.211.224	unknown	Japan	9605	DOCOMONTTDOCOMOINCJP	false
111.54.138.238	unknown	China	56042	CMNET-SHANXI-APChinaMobilecommunicationscorporationCN	false
255.228.188.17	unknown	Reserved	unknown	unknown	false
99.183.173.13	unknown	United States	7018	ATT-INTERNET4US	false
19.235.79.195	unknown	United States	3	MIT-GATEWAYSUS	false
99.126.165.27	unknown	United States	7018	ATT-INTERNET4US	false
97.181.172.187	unknown	United States	6167	CELLCO-PARTUS	false
117.90.184.11	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
145.235.189.29	unknown	Sweden	1257	TELE2EU	false
146.118.183.18	unknown	Australia	134111	CSIRO-PAWSEY-AS-APCommonwealthScientificandIndustrialRe	false
114.78.112.184	unknown	Australia	4804	MPX-ASMicroplexPTYLTDAU	false
161.31.175.176	unknown	United States	40581	AREON-ASUS	false
198.180.33.2	unknown	United States	2828	XO-AS15US	false
192.47.33.191	unknown	Japan	5501	FRAUNHOFER-CLUSTER-BWResearchInstitutesspreadalloverGe	false
19.55.221.17	unknown	United States	3	MIT-GATEWAYSUS	false
123.203.7.132	unknown	Hong Kong	9269	HKBN-AS-APHongKongBroadbandNetworkLtdHK	false
130.232.1.148	unknown	Finland	1741	FUNETASFI	false
201.35.0.95	unknown	Brazil	8167	BrasilTelecomSA-FilialDistritoFederalBR	false
89.49.3.124	unknown	Germany	5430	FREENETDEfreenetDatenkommunikationsGmbHDE	false
246.250.119.203	unknown	Reserved	unknown	unknown	false
216.48.63.25	unknown	United States	7029	WINDSTREAMUS	false
103.42.251.212	unknown	India	133726	BLUEWEB-ASBLUEWEBNETWORKSOLUTIONSPVTLTDIN	false
121.85.39.119	unknown	Japan	17511	OPTAGEOPTAGEIncJP	false
149.95.27.187	unknown	United States	174	COGENT-174US	false
179.25.214.74	unknown	Uruguay	6057	AdministracionNacionaldeTelecomunicacionesUY	false
204.97.148.165	unknown	United States	3931	LOGICALUS	false
168.66.47.187	unknown	United States	265240	ULTRANETSERVICOSEMINTERNETLTDABR	false
47.139.36.108	unknown	United States	5650	FRONTIER-FRTRUS	false
36.20.185.19	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
246.2.169.240	unknown	Reserved	unknown	unknown	false
13.181.255.136	unknown	United States	7018	ATT-INTERNET4US	false
189.141.64.115	unknown	Mexico	8151	UninetSAdeCVMX	false
67.75.143.181	unknown	United States	3549	LVLT-3549US	false
211.180.177.153	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	false
12.215.91.11	unknown	United States	7018	ATT-INTERNET4US	false
252.176.137.165	unknown	Reserved	unknown	unknown	false
101.119.53.233	unknown	Australia	133612	VODAFONE-AS-APVodafoneAustraliaPtyLtdAU	false
163.78.97.113	unknown	France	17816	CHINA169-GZChinaUnicomIPnetworkChina169Guangdongprovi	false
111.154.178.244	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
216.139.133.157	unknown	United States	22136	NYCTUS	false
220.170.81.177	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
63.37.215.231	unknown	United States	3356	LEVEL3US	false
126.39.23.141	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
161.10.197.59	unknown	Colombia	3816	COLOMBIATELECOMUNICACIONESSAESPCO	false
27.77.42.218	unknown	Viet Nam	7552	VIETEL-AS-APViettelGroupVN	false
172.115.98.121	unknown	United States	20001	TWC-20001-PACWESTUS	false
149.249.13.220	unknown	Germany	15404	COLTTechnologyServicesGroupSE	false
20.156.174.140	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
75.120.33.119	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	false
210.240.23.2	unknown	Taiwan; Republic of China (ROC)	1659	ERX-TANET-ASN1TaiwanAcademicNetworkTANetInformationC	false
249.37.45.136	unknown	Reserved	unknown	unknown	false
59.208.115.119	unknown	China	2516	KDDIKDDICORPORATIONJP	false
153.131.187.101	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
81.18.70.58	unknown	Romania	8708	RCS-RDS73-75DrStaicoviciRO	false
163.168.3.222	unknown	Switzerland	786	JANETJiscServicesLimitedGB	false
173.227.122.35	unknown	United States	3549	LVLT-3549US	false
191.11.247.34	unknown	Brazil	26599	TELEFONICABRASILSABR	false
2.226.67.222	unknown	Italy	12874	FASTWEBIT	false
248.155.127.231	unknown	Reserved	unknown	unknown	false
241.2.117.29	unknown	Reserved	unknown	unknown	false
174.127.145.108	unknown	United States	11404	AS-WAVE-1US	false

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.242471120921623
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	V15hQSZlC3
File size:	51396
MD5:	75797bc071034cc54c68ae81e403096e
SHA1:	0a31fec94f3e33c040a27717d3e5bcfb43c97acb
SHA256:	eb1e72903ad912f0b7a2d20587fa4a2714f8adfc67b716c79dbdc781128dfa5b
SHA512:	9203c30e9addd7d1e81a5a9fa989ad11b70f56f832334298028840768b8aef2203920bb8d503a0bd10c543f5c213274c3513e2febc2bfd591d2a36fdc7bd8512
SSDEEP:	768:Sx2Mfcy7pgpC1uwECS5VUhRiogRxA3fgLTW9Ivf3KYHJ2VVFsYuWX2IeTrw:K2zy7qpC1uwJ2OErdgA3KYp21j3XLmw
File Content Preview:	.ELF...........................4.........4. ...(....................... ... ...............$...$...$...t............dt.Q.............................!..\|......$H...H..%...$8!. \|...N.. .!..\|.......?.............../...@..\?......<.+../...A..$8...}).....<N..

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	PowerPC
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x100001f0
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	50916
Section Header Size:	40
Number of Section Headers:	12
Header String Table Index:	11

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x10000094	0x94	0x24	0x0	0x6	AX	4
.text	PROGBITS	0x100000b8	0xb8	0xbe7c	0x0	0x6	AX	4
.fini	PROGBITS	0x1000bf34	0xbf34	0x20	0x0	0x6	AX	4
.rodata	PROGBITS	0x1000bf54	0xbf54	0x5cc	0x0	0x2	A	4
.ctors	PROGBITS	0x1001c524	0xc524	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x1001c52c	0xc52c	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x1001c538	0xc538	0x140	0x0	0x3	WA	8
.sdata	PROGBITS	0x1001c678	0xc678	0x20	0x0	0x3	WA	4
.sbss	NOBITS	0x1001c698	0xc698	0x74	0x0	0x3	WA	4
.bss	NOBITS	0x1001c70c	0xc698	0x20c	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0xc698	0x4b	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x10000000	0x10000000	0xc520	0xc520	4.0177	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0xc524	0x1001c524	0x1001c524	0x174	0x3f4	0.4228	0x6	RW	0x10000	.ctors .dtors .data .sdata .sbss .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 21, 2022 04:08:01.233962059 CET	42836	443	192.168.2.23	91.189.91.43
Jan 21, 2022 04:08:01.490011930 CET	42516	80	192.168.2.23	109.202.202.202
Jan 21, 2022 04:08:01.612405062 CET	59584	420	192.168.2.23	45.88.181.48
Jan 21, 2022 04:08:01.644231081 CET	22171	23	192.168.2.23	142.59.62.186
Jan 21, 2022 04:08:01.644283056 CET	22171	23	192.168.2.23	201.76.14.186
Jan 21, 2022 04:08:01.644295931 CET	22171	23	192.168.2.23	20.170.152.184
Jan 21, 2022 04:08:01.644299984 CET	22171	23	192.168.2.23	14.255.254.123
Jan 21, 2022 04:08:01.644309044 CET	22171	23	192.168.2.23	71.187.73.190
Jan 21, 2022 04:08:01.644332886 CET	22171	23	192.168.2.23	212.134.160.228
Jan 21, 2022 04:08:01.644335032 CET	22171	23	192.168.2.23	102.41.52.117
Jan 21, 2022 04:08:01.644341946 CET	22171	23	192.168.2.23	145.159.24.173
Jan 21, 2022 04:08:01.644359112 CET	22171	23	192.168.2.23	176.176.230.226
Jan 21, 2022 04:08:01.644381046 CET	22171	23	192.168.2.23	70.251.140.222
Jan 21, 2022 04:08:01.644383907 CET	22171	23	192.168.2.23	253.232.13.42
Jan 21, 2022 04:08:01.644392014 CET	22171	23	192.168.2.23	88.73.12.95
Jan 21, 2022 04:08:01.644421101 CET	22171	23	192.168.2.23	160.201.1.231
Jan 21, 2022 04:08:01.644427061 CET	22171	23	192.168.2.23	165.206.89.154
Jan 21, 2022 04:08:01.644463062 CET	22171	23	192.168.2.23	20.168.42.139
Jan 21, 2022 04:08:01.644463062 CET	22171	23	192.168.2.23	207.80.133.59
Jan 21, 2022 04:08:01.644479990 CET	22171	23	192.168.2.23	165.84.40.108
Jan 21, 2022 04:08:01.644481897 CET	22171	23	192.168.2.23	79.86.2.146
Jan 21, 2022 04:08:01.644488096 CET	22171	23	192.168.2.23	38.170.185.216
Jan 21, 2022 04:08:01.644529104 CET	22171	23	192.168.2.23	168.113.3.244
Jan 21, 2022 04:08:01.644551039 CET	22171	23	192.168.2.23	221.90.144.193
Jan 21, 2022 04:08:01.644562960 CET	22171	23	192.168.2.23	109.1.39.41
Jan 21, 2022 04:08:01.644587994 CET	22171	23	192.168.2.23	130.36.118.203
Jan 21, 2022 04:08:01.644608021 CET	22171	23	192.168.2.23	168.183.30.167
Jan 21, 2022 04:08:01.644640923 CET	22171	23	192.168.2.23	183.30.34.55
Jan 21, 2022 04:08:01.644675016 CET	22171	23	192.168.2.23	240.217.252.83
Jan 21, 2022 04:08:01.644692898 CET	22171	23	192.168.2.23	63.51.64.139
Jan 21, 2022 04:08:01.644706011 CET	22171	23	192.168.2.23	212.78.72.137
Jan 21, 2022 04:08:01.644783974 CET	22171	23	192.168.2.23	104.196.142.95
Jan 21, 2022 04:08:01.644795895 CET	22171	23	192.168.2.23	201.29.123.227
Jan 21, 2022 04:08:01.644834995 CET	22171	23	192.168.2.23	67.41.56.215
Jan 21, 2022 04:08:01.644836903 CET	22171	23	192.168.2.23	177.176.53.134
Jan 21, 2022 04:08:01.644841909 CET	22171	23	192.168.2.23	58.1.156.56
Jan 21, 2022 04:08:01.644848108 CET	22171	23	192.168.2.23	110.65.72.207
Jan 21, 2022 04:08:01.644855022 CET	22171	23	192.168.2.23	255.153.143.117
Jan 21, 2022 04:08:01.644860029 CET	22171	23	192.168.2.23	249.251.234.65
Jan 21, 2022 04:08:01.644897938 CET	22171	23	192.168.2.23	153.148.176.191
Jan 21, 2022 04:08:01.644912004 CET	22171	23	192.168.2.23	104.31.66.77
Jan 21, 2022 04:08:01.644926071 CET	22171	23	192.168.2.23	101.220.241.13
Jan 21, 2022 04:08:01.644937038 CET	22171	23	192.168.2.23	118.159.28.2
Jan 21, 2022 04:08:01.644968033 CET	22171	23	192.168.2.23	195.185.132.146
Jan 21, 2022 04:08:01.644970894 CET	22171	23	192.168.2.23	190.84.154.34
Jan 21, 2022 04:08:01.644978046 CET	22171	23	192.168.2.23	204.222.141.83
Jan 21, 2022 04:08:01.645020008 CET	22171	23	192.168.2.23	5.27.147.122
Jan 21, 2022 04:08:01.645044088 CET	22171	23	192.168.2.23	219.64.69.142
Jan 21, 2022 04:08:01.645045042 CET	22171	23	192.168.2.23	116.248.234.113
Jan 21, 2022 04:08:01.645046949 CET	22171	23	192.168.2.23	243.144.242.171
Jan 21, 2022 04:08:01.645064116 CET	22171	23	192.168.2.23	67.99.13.246
Jan 21, 2022 04:08:01.645098925 CET	22171	23	192.168.2.23	1.29.133.56
Jan 21, 2022 04:08:01.645100117 CET	22171	23	192.168.2.23	220.184.95.2
Jan 21, 2022 04:08:01.645107985 CET	22171	23	192.168.2.23	112.194.149.201
Jan 21, 2022 04:08:01.645117998 CET	22171	23	192.168.2.23	124.56.136.7
Jan 21, 2022 04:08:01.645129919 CET	22171	23	192.168.2.23	200.105.164.136
Jan 21, 2022 04:08:01.645181894 CET	22171	23	192.168.2.23	164.8.199.82
Jan 21, 2022 04:08:01.645205021 CET	22171	23	192.168.2.23	123.195.47.17
Jan 21, 2022 04:08:01.645221949 CET	22171	23	192.168.2.23	118.6.68.180
Jan 21, 2022 04:08:01.645234108 CET	22171	23	192.168.2.23	176.141.250.188
Jan 21, 2022 04:08:01.645293951 CET	22171	23	192.168.2.23	145.204.172.155
Jan 21, 2022 04:08:01.645294905 CET	22171	23	192.168.2.23	172.148.215.128
Jan 21, 2022 04:08:01.645301104 CET	22171	23	192.168.2.23	251.177.34.209
Jan 21, 2022 04:08:01.645347118 CET	22171	23	192.168.2.23	45.236.170.130
Jan 21, 2022 04:08:01.645370007 CET	22171	23	192.168.2.23	34.33.22.234
Jan 21, 2022 04:08:01.645382881 CET	22171	23	192.168.2.23	246.96.203.132
Jan 21, 2022 04:08:01.645392895 CET	22171	23	192.168.2.23	90.169.182.163
Jan 21, 2022 04:08:01.645430088 CET	22171	23	192.168.2.23	105.226.229.148
Jan 21, 2022 04:08:01.645437956 CET	22171	23	192.168.2.23	20.1.168.211
Jan 21, 2022 04:08:01.645452023 CET	22171	23	192.168.2.23	124.37.110.104
Jan 21, 2022 04:08:01.645452976 CET	22171	23	192.168.2.23	218.218.171.145
Jan 21, 2022 04:08:01.645479918 CET	22171	23	192.168.2.23	48.186.172.171
Jan 21, 2022 04:08:01.645483017 CET	22171	23	192.168.2.23	186.206.149.167
Jan 21, 2022 04:08:01.645495892 CET	22171	23	192.168.2.23	240.124.101.32
Jan 21, 2022 04:08:01.645508051 CET	22171	23	192.168.2.23	16.196.48.26
Jan 21, 2022 04:08:01.645533085 CET	22171	23	192.168.2.23	110.96.72.8
Jan 21, 2022 04:08:01.645555019 CET	22171	23	192.168.2.23	250.194.52.72
Jan 21, 2022 04:08:01.645556927 CET	22171	23	192.168.2.23	184.72.112.182
Jan 21, 2022 04:08:01.645576954 CET	22171	23	192.168.2.23	193.160.16.239
Jan 21, 2022 04:08:01.645598888 CET	22171	23	192.168.2.23	120.77.127.166
Jan 21, 2022 04:08:01.645608902 CET	22171	23	192.168.2.23	60.155.248.24
Jan 21, 2022 04:08:01.645622969 CET	22171	23	192.168.2.23	181.186.187.33
Jan 21, 2022 04:08:01.645622969 CET	22171	23	192.168.2.23	105.110.179.151
Jan 21, 2022 04:08:01.645637989 CET	22171	23	192.168.2.23	218.69.27.224
Jan 21, 2022 04:08:01.645648003 CET	22171	23	192.168.2.23	190.149.40.189
Jan 21, 2022 04:08:01.645663977 CET	22171	23	192.168.2.23	108.218.42.150
Jan 21, 2022 04:08:01.645669937 CET	22171	23	192.168.2.23	120.36.183.136
Jan 21, 2022 04:08:01.645709038 CET	22171	23	192.168.2.23	208.212.26.225
Jan 21, 2022 04:08:01.645724058 CET	22171	23	192.168.2.23	72.133.107.201
Jan 21, 2022 04:08:01.645736933 CET	22171	23	192.168.2.23	221.83.103.195
Jan 21, 2022 04:08:01.645745993 CET	22171	23	192.168.2.23	253.220.164.217
Jan 21, 2022 04:08:01.645747900 CET	22171	23	192.168.2.23	160.251.122.128
Jan 21, 2022 04:08:01.645765066 CET	22171	23	192.168.2.23	211.53.218.123
Jan 21, 2022 04:08:01.645766020 CET	22171	23	192.168.2.23	240.203.247.177
Jan 21, 2022 04:08:01.645775080 CET	22171	23	192.168.2.23	42.196.178.130
Jan 21, 2022 04:08:01.645787954 CET	22171	23	192.168.2.23	135.16.211.36
Jan 21, 2022 04:08:01.645798922 CET	22171	23	192.168.2.23	110.202.223.40
Jan 21, 2022 04:08:01.645821095 CET	22171	23	192.168.2.23	205.208.232.126
Jan 21, 2022 04:08:01.645836115 CET	22171	23	192.168.2.23	93.33.69.87
Jan 21, 2022 04:08:01.645838022 CET	22171	23	192.168.2.23	96.177.187.103

System Behavior

Analysis Process: V15hQSZlC3 PID: 5214, Parent PID: 5111

General

Start time:	04:08:00
Start date:	21/01/2022
Path:	/tmp/V15hQSZlC3
Arguments:	/tmp/V15hQSZlC3
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Analysis Process: V15hQSZlC3 PID: 5216, Parent PID: 5214

General

Start time:	04:08:00
Start date:	21/01/2022
Path:	/tmp/V15hQSZlC3
Arguments:	n/a
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Analysis Process: V15hQSZlC3 PID: 5333, Parent PID: 5216

General

Start time:	04:10:53
Start date:	21/01/2022
Path:	/tmp/V15hQSZlC3
Arguments:	n/a
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Analysis Process: V15hQSZlC3 PID: 5334, Parent PID: 5216

General

Start time:	04:10:53
Start date:	21/01/2022
Path:	/tmp/V15hQSZlC3
Arguments:	n/a
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Analysis Process: V15hQSZlC3 PID: 5337, Parent PID: 5334

General

Start time:	04:10:53
Start date:	21/01/2022
Path:	/tmp/V15hQSZlC3
Arguments:	n/a
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Analysis Process: V15hQSZlC3 PID: 5347, Parent PID: 5337

General

Start time:	04:10:58
Start date:	21/01/2022
Path:	/tmp/V15hQSZlC3
Arguments:	n/a
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Analysis Process: V15hQSZlC3 PID: 5348, Parent PID: 5337

General

Start time:	04:10:58
Start date:	21/01/2022
Path:	/tmp/V15hQSZlC3
Arguments:	n/a
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Analysis Process: V15hQSZlC3 PID: 5339, Parent PID: 5334

General

Start time:	04:10:53
Start date:	21/01/2022
Path:	/tmp/V15hQSZlC3
Arguments:	n/a
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Analysis Process: V15hQSZlC3 PID: 5342, Parent PID: 5334

General

Start time:	04:10:53
Start date:	21/01/2022
Path:	/tmp/V15hQSZlC3
Arguments:	n/a
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Analysis Process: V15hQSZlC3 PID: 5217, Parent PID: 5214

General

Start time:	04:08:00
Start date:	21/01/2022
Path:	/tmp/V15hQSZlC3
Arguments:	n/a
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Analysis Process: V15hQSZlC3 PID: 5218, Parent PID: 5214

General

Start time:	04:08:00
Start date:	21/01/2022
Path:	/tmp/V15hQSZlC3
Arguments:	n/a
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Analysis Process: V15hQSZlC3 PID: 5222, Parent PID: 5218

General

Start time:	04:08:00
Start date:	21/01/2022
Path:	/tmp/V15hQSZlC3
Arguments:	n/a
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Analysis Process: V15hQSZlC3 PID: 5329, Parent PID: 5222

General

Start time:	04:10:53
Start date:	21/01/2022
Path:	/tmp/V15hQSZlC3
Arguments:	n/a
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Analysis Process: V15hQSZlC3 PID: 5330, Parent PID: 5222

General

Start time:	04:10:53
Start date:	21/01/2022
Path:	/tmp/V15hQSZlC3
Arguments:	n/a
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Analysis Process: V15hQSZlC3 PID: 5223, Parent PID: 5218

General

Start time:	04:08:00
Start date:	21/01/2022
Path:	/tmp/V15hQSZlC3
Arguments:	n/a
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Analysis Process: V15hQSZlC3 PID: 5224, Parent PID: 5218

General

Start time:	04:08:00
Start date:	21/01/2022
Path:	/tmp/V15hQSZlC3
Arguments:	n/a
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Analysis Process: dash PID: 5266, Parent PID: 4331

General

Start time:	04:09:22
Start date:	21/01/2022
Path:	/usr/bin/dash
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: rm PID: 5266, Parent PID: 4331

General

Start time:	04:09:22
Start date:	21/01/2022
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.mGBdYrIAjO /tmp/tmp.nilNg8yhqU /tmp/tmp.xo9oKnmcRG
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report V15hQSZlC3

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Runtime Messages

Process Tree

Yara Overview

PCAP (Network Traffic)

Jbx Signature Overview

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: V15hQSZlC3 PID: 5214, Parent PID: 5111

General

Analysis Process: V15hQSZlC3 PID: 5216, Parent PID: 5214

General

Analysis Process: V15hQSZlC3 PID: 5333, Parent PID: 5216

General

Analysis Process: V15hQSZlC3 PID: 5334, Parent PID: 5216

General

Analysis Process: V15hQSZlC3 PID: 5337, Parent PID: 5334

General

Analysis Process: V15hQSZlC3 PID: 5347, Parent PID: 5337

General

Analysis Process: V15hQSZlC3 PID: 5348, Parent PID: 5337

General

Analysis Process: V15hQSZlC3 PID: 5339, Parent PID: 5334

General

Analysis Process: V15hQSZlC3 PID: 5342, Parent PID: 5334

General

Analysis Process: V15hQSZlC3 PID: 5217, Parent PID: 5214

General

Analysis Process: V15hQSZlC3 PID: 5218, Parent PID: 5214

General

Linux Analysis Report
V15hQSZlC3