Edit tour

Linux Analysis Report
oKukKTcgxV

Overview

General Information

Sample Name:	oKukKTcgxV
Analysis ID:	557425
MD5:	5ca61982c3626a6a6317eb28b301c00b
SHA1:	ffde6d29d70c9a8471f0b0c86ca1438662183e8a
SHA256:	e1250ce224b971ff719ba2532e2de4b317aa90a9f82ddc18843d5d7f9a2b6b39
Tags:	32elfmiraimotorola
Infos:

Detection

Mirai

Score:	68
Range:	0 - 100
Whitelisted:	false

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Mirai

Multi AV Scanner detection for submitted file

Uses known network protocols on non-standard ports

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Classification

Analysis Advice

All HTTP servers contacted by the sample do not answer. Likely the sample is an old dropper which does no longer work

Static ELF header machine description suggests that the sample might not execute correctly on this machine

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	557425
Start date:	21.01.2022
Start time:	04:37:19
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 41s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	oKukKTcgxV
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal68.troj.lin@0/0@0/0

Warnings

Report size exceeded maximum capacity and may have missing network information.
TCP Packets have been reduced to 100

Runtime Messages

Command:	/tmp/oKukKTcgxV
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	DaddyL33T Infected Your Shit
Standard Error:

Process Tree

system is lnxubuntu20

oKukKTcgxV (PID: 5218, Parent: 5114, MD5: cd177594338c77b895ae27c33f8f86cc) Arguments: /tmp/oKukKTcgxV

oKukKTcgxV New Fork (PID: 5220, Parent: 5218)

oKukKTcgxV New Fork (PID: 5318, Parent: 5220)

oKukKTcgxV New Fork (PID: 5322, Parent: 5220)

oKukKTcgxV New Fork (PID: 5326, Parent: 5322)

oKukKTcgxV New Fork (PID: 5335, Parent: 5326)

oKukKTcgxV New Fork (PID: 5337, Parent: 5326)

oKukKTcgxV New Fork (PID: 5328, Parent: 5322)

oKukKTcgxV New Fork (PID: 5330, Parent: 5322)

oKukKTcgxV New Fork (PID: 5221, Parent: 5218)

oKukKTcgxV New Fork (PID: 5223, Parent: 5218)

oKukKTcgxV New Fork (PID: 5226, Parent: 5223)

oKukKTcgxV New Fork (PID: 5319, Parent: 5226)

oKukKTcgxV New Fork (PID: 5321, Parent: 5226)

oKukKTcgxV New Fork (PID: 5227, Parent: 5223)

oKukKTcgxV New Fork (PID: 5228, Parent: 5223)

cleanup

Yara Overview

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Mirai_12	Yara detected Mirai	Joe Security

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: oKukKTcgxV	Virustotal: Detection: 49%			Perma Link
Source: oKukKTcgxV	ReversingLabs: Detection: 55%

Networking

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 716 INFO TELNET access 223.84.156.86:23 -> 192.168.2.23:34252
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 223.84.156.86:23 -> 192.168.2.23:34252
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:34536 -> 163.20.8.254:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.84.156.86:23 -> 192.168.2.23:34322
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 223.84.156.86:23 -> 192.168.2.23:34322
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.84.156.86:23 -> 192.168.2.23:34370
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 223.84.156.86:23 -> 192.168.2.23:34370
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.84.156.86:23 -> 192.168.2.23:34428
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 41.139.199.98:23 -> 192.168.2.23:59412
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 223.84.156.86:23 -> 192.168.2.23:34428
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.84.156.86:23 -> 192.168.2.23:34450
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:56472 -> 201.143.220.133:23
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 201.143.220.133:23 -> 192.168.2.23:56472
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 223.84.156.86:23 -> 192.168.2.23:34450
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.84.156.86:23 -> 192.168.2.23:34472
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 223.13.63.210:23 -> 192.168.2.23:55314
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 223.84.156.86:23 -> 192.168.2.23:34472
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.84.156.86:23 -> 192.168.2.23:34498
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 223.84.156.86:23 -> 192.168.2.23:34498
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.84.156.86:23 -> 192.168.2.23:34554
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 223.84.156.86:23 -> 192.168.2.23:34554
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.84.156.86:23 -> 192.168.2.23:34594
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 223.84.156.86:23 -> 192.168.2.23:34594
Source: Traffic	Snort IDS: 716 INFO TELNET access 46.43.81.150:23 -> 192.168.2.23:49872
Source: Traffic	Snort IDS: 716 INFO TELNET access 223.84.156.86:23 -> 192.168.2.23:34636
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.43.81.150:23 -> 192.168.2.23:49872
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.43.81.150:23 -> 192.168.2.23:49872
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 223.84.156.86:23 -> 192.168.2.23:34636
Source: Traffic	Snort IDS: 716 INFO TELNET access 46.43.81.150:23 -> 192.168.2.23:49922
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.43.81.150:23 -> 192.168.2.23:49922
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.43.81.150:23 -> 192.168.2.23:49922
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:57254 -> 201.249.168.9:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 46.43.81.150:23 -> 192.168.2.23:49968
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.43.81.150:23 -> 192.168.2.23:49968
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.43.81.150:23 -> 192.168.2.23:49968
Source: Traffic	Snort IDS: 716 INFO TELNET access 46.43.81.150:23 -> 192.168.2.23:50010
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 201.227.16.158:23 -> 192.168.2.23:53540
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 201.227.16.158:23 -> 192.168.2.23:53540
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.43.81.150:23 -> 192.168.2.23:50010
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.43.81.150:23 -> 192.168.2.23:50010
Source: Traffic	Snort IDS: 716 INFO TELNET access 46.43.81.150:23 -> 192.168.2.23:50110
Source: Traffic	Snort IDS: 716 INFO TELNET access 119.112.222.99:23 -> 192.168.2.23:49100
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.161.89.156:23 -> 192.168.2.23:35852
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.43.81.150:23 -> 192.168.2.23:50110
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.43.81.150:23 -> 192.168.2.23:50110
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.161.89.156:23 -> 192.168.2.23:35852
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.161.89.156:23 -> 192.168.2.23:35852
Source: Traffic	Snort IDS: 716 INFO TELNET access 46.43.81.150:23 -> 192.168.2.23:50184
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:56152 -> 210.10.143.115:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.43.81.150:23 -> 192.168.2.23:50184
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.43.81.150:23 -> 192.168.2.23:50184
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.161.89.156:23 -> 192.168.2.23:35920
Source: Traffic	Snort IDS: 716 INFO TELNET access 119.112.222.99:23 -> 192.168.2.23:49132
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.161.89.156:23 -> 192.168.2.23:35920
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.161.89.156:23 -> 192.168.2.23:35920
Source: Traffic	Snort IDS: 716 INFO TELNET access 46.43.81.150:23 -> 192.168.2.23:50258
Source: Traffic	Snort IDS: 716 INFO TELNET access 119.112.222.99:23 -> 192.168.2.23:49276
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.43.81.150:23 -> 192.168.2.23:50258
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.43.81.150:23 -> 192.168.2.23:50258
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 201.227.16.158:23 -> 192.168.2.23:53832
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 201.227.16.158:23 -> 192.168.2.23:53832
Source: Traffic	Snort IDS: 716 INFO TELNET access 119.112.222.99:23 -> 192.168.2.23:49314
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.161.89.156:23 -> 192.168.2.23:36052
Source: Traffic	Snort IDS: 716 INFO TELNET access 46.43.81.150:23 -> 192.168.2.23:50344
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.161.89.156:23 -> 192.168.2.23:36052
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.161.89.156:23 -> 192.168.2.23:36052
Source: Traffic	Snort IDS: 716 INFO TELNET access 119.112.222.99:23 -> 192.168.2.23:49350
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:49350 -> 119.112.222.99:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.43.81.150:23 -> 192.168.2.23:50344
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.43.81.150:23 -> 192.168.2.23:50344
Source: Traffic	Snort IDS: 716 INFO TELNET access 119.112.222.99:23 -> 192.168.2.23:49390
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.161.89.156:23 -> 192.168.2.23:36178
Source: Traffic	Snort IDS: 716 INFO TELNET access 46.43.81.150:23 -> 192.168.2.23:50472
Source: Traffic	Snort IDS: 716 INFO TELNET access 119.112.222.99:23 -> 192.168.2.23:49470
Source: Traffic	Snort IDS: 716 INFO TELNET access 46.148.45.209:23 -> 192.168.2.23:43770
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.161.89.156:23 -> 192.168.2.23:36178
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.161.89.156:23 -> 192.168.2.23:36178
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.43.81.150:23 -> 192.168.2.23:50472
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.43.81.150:23 -> 192.168.2.23:50472
Source: Traffic	Snort IDS: 716 INFO TELNET access 153.201.89.42:23 -> 192.168.2.23:40488
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 60.171.241.43:23 -> 192.168.2.23:46126
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 60.171.241.43:23 -> 192.168.2.23:46126
Source: Traffic	Snort IDS: 404 ICMP Destination Unreachable Protocol Unreachable 83.148.236.126: -> 192.168.2.23:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 110.225.224.254:23 -> 192.168.2.23:40780
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 110.225.224.254:23 -> 192.168.2.23:40780
Source: Traffic	Snort IDS: 716 INFO TELNET access 119.112.222.99:23 -> 192.168.2.23:49536
Source: Traffic	Snort IDS: 716 INFO TELNET access 153.201.89.42:23 -> 192.168.2.23:40550
Source: Traffic	Snort IDS: 716 INFO TELNET access 153.201.89.42:23 -> 192.168.2.23:40580
Source: Traffic	Snort IDS: 716 INFO TELNET access 153.201.89.42:23 -> 192.168.2.23:40610
Source: Traffic	Snort IDS: 716 INFO TELNET access 125.93.192.47:23 -> 192.168.2.23:55888
Source: Traffic	Snort IDS: 716 INFO TELNET access 46.43.81.150:23 -> 192.168.2.23:50648
Source: Traffic	Snort IDS: 716 INFO TELNET access 153.201.89.42:23 -> 192.168.2.23:40630
Source: Traffic	Snort IDS: 716 INFO TELNET access 119.112.222.99:23 -> 192.168.2.23:49644
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.161.89.156:23 -> 192.168.2.23:36398
Source: Traffic	Snort IDS: 716 INFO TELNET access 153.201.89.42:23 -> 192.168.2.23:40664
Source: Traffic	Snort IDS: 716 INFO TELNET access 153.201.89.42:23 -> 192.168.2.23:40676
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 125.93.192.47:23 -> 192.168.2.23:55888
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 46.43.81.150:23 -> 192.168.2.23:50648
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 46.43.81.150:23 -> 192.168.2.23:50648
Source: Traffic	Snort IDS: 716 INFO TELNET access 153.201.89.42:23 -> 192.168.2.23:40708
Source: Traffic	Snort IDS: 716 INFO TELNET access 153.201.89.42:23 -> 192.168.2.23:40754
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.161.89.156:23 -> 192.168.2.23:36398
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.161.89.156:23 -> 192.168.2.23:36398
Source: Traffic	Snort IDS: 716 INFO TELNET access 119.112.222.99:23 -> 192.168.2.23:49798
Source: Traffic	Snort IDS: 716 INFO TELNET access 153.201.89.42:23 -> 192.168.2.23:40810
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 47.181.103.153:23 -> 192.168.2.23:37648
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 47.181.103.153:23 -> 192.168.2.23:37648
Source: Traffic	Snort IDS: 716 INFO TELNET access 125.93.192.47:23 -> 192.168.2.23:56090
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 60.171.241.43:23 -> 192.168.2.23:46338
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 60.171.241.43:23 -> 192.168.2.23:46338
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.28.36.54:23 -> 192.168.2.23:58384
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.28.36.54:23 -> 192.168.2.23:58384
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 125.93.192.47:23 -> 192.168.2.23:56090
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 201.227.16.158:23 -> 192.168.2.23:54428
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 201.227.16.158:23 -> 192.168.2.23:54428
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 36.65.75.239:23 -> 192.168.2.23:44246
Source: Traffic	Snort IDS: 716 INFO TELNET access 125.93.192.47:23 -> 192.168.2.23:56190
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.161.89.156:23 -> 192.168.2.23:36672
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 125.93.192.47:23 -> 192.168.2.23:56190
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 121.161.89.156:23 -> 192.168.2.23:36672
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 121.161.89.156:23 -> 192.168.2.23:36672
Source: Traffic	Snort IDS: 716 INFO TELNET access 106.243.74.174:23 -> 192.168.2.23:43714
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 47.181.103.153:23 -> 192.168.2.23:37922
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 47.181.103.153:23 -> 192.168.2.23:37922
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 59.28.36.54:23 -> 192.168.2.23:58668
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 59.28.36.54:23 -> 192.168.2.23:58668
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 60.171.241.43:23 -> 192.168.2.23:46634
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 60.171.241.43:23 -> 192.168.2.23:46634
Source: Traffic	Snort IDS: 716 INFO TELNET access 125.93.192.47:23 -> 192.168.2.23:56272
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 177.87.68.118:23 -> 192.168.2.23:58160
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 177.87.68.118:23 -> 192.168.2.23:58160
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:56272 -> 125.93.192.47:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 46.148.45.209:23 -> 192.168.2.23:44324
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 125.93.192.47:23 -> 192.168.2.23:56272

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44276
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44280
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44282
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44286
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44292
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44294
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44296
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44302
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44304
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44308
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48124
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48130
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48138
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48142
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48180
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48184
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48190
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48192
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48194
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48202
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41660
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41662
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41666
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41672
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41678
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41692
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41708
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41716
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41718
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41722
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60138
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60142
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60148
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60154
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60160
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60170
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60182
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60196
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60200
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60206

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: global traffic

TCP traffic: 192.168.2.23:59584 -> 45.88.181.48:420

Source: /tmp/oKukKTcgxV (PID: 5220)	Socket: 0.0.0.0::0
Source: /tmp/oKukKTcgxV (PID: 5226)	Socket: 0.0.0.0::0

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 45.88.181.48
Source: unknown	TCP traffic detected without corresponding DNS query: 207.113.52.250
Source: unknown	TCP traffic detected without corresponding DNS query: 201.70.4.250
Source: unknown	TCP traffic detected without corresponding DNS query: 76.236.252.105
Source: unknown	TCP traffic detected without corresponding DNS query: 58.226.131.74
Source: unknown	TCP traffic detected without corresponding DNS query: 105.233.1.110
Source: unknown	TCP traffic detected without corresponding DNS query: 151.55.201.50
Source: unknown	TCP traffic detected without corresponding DNS query: 138.213.114.78
Source: unknown	TCP traffic detected without corresponding DNS query: 197.96.89.107
Source: unknown	TCP traffic detected without corresponding DNS query: 40.42.3.64
Source: unknown	TCP traffic detected without corresponding DNS query: 197.93.170.176
Source: unknown	TCP traffic detected without corresponding DNS query: 147.255.122.60
Source: unknown	TCP traffic detected without corresponding DNS query: 164.199.129.100
Source: unknown	TCP traffic detected without corresponding DNS query: 163.180.126.127
Source: unknown	TCP traffic detected without corresponding DNS query: 164.25.83.183
Source: unknown	TCP traffic detected without corresponding DNS query: 162.179.224.235
Source: unknown	TCP traffic detected without corresponding DNS query: 60.243.149.221
Source: unknown	TCP traffic detected without corresponding DNS query: 31.189.66.165
Source: unknown	TCP traffic detected without corresponding DNS query: 126.164.233.51
Source: unknown	TCP traffic detected without corresponding DNS query: 180.71.167.183
Source: unknown	TCP traffic detected without corresponding DNS query: 139.177.81.128
Source: unknown	TCP traffic detected without corresponding DNS query: 162.248.239.245
Source: unknown	TCP traffic detected without corresponding DNS query: 85.124.192.213
Source: unknown	TCP traffic detected without corresponding DNS query: 179.221.149.60
Source: unknown	TCP traffic detected without corresponding DNS query: 34.90.84.202
Source: unknown	TCP traffic detected without corresponding DNS query: 206.121.154.70
Source: unknown	TCP traffic detected without corresponding DNS query: 39.193.246.9
Source: unknown	TCP traffic detected without corresponding DNS query: 12.228.206.205
Source: unknown	TCP traffic detected without corresponding DNS query: 251.179.20.180
Source: unknown	TCP traffic detected without corresponding DNS query: 8.141.61.249
Source: unknown	TCP traffic detected without corresponding DNS query: 180.51.22.138
Source: unknown	TCP traffic detected without corresponding DNS query: 27.144.21.206
Source: unknown	TCP traffic detected without corresponding DNS query: 34.39.144.126
Source: unknown	TCP traffic detected without corresponding DNS query: 203.135.193.89
Source: unknown	TCP traffic detected without corresponding DNS query: 98.253.228.202
Source: unknown	TCP traffic detected without corresponding DNS query: 60.25.233.210
Source: unknown	TCP traffic detected without corresponding DNS query: 220.201.185.122
Source: unknown	TCP traffic detected without corresponding DNS query: 91.34.6.106
Source: unknown	TCP traffic detected without corresponding DNS query: 170.194.232.15
Source: unknown	TCP traffic detected without corresponding DNS query: 90.45.224.213
Source: unknown	TCP traffic detected without corresponding DNS query: 213.192.194.67
Source: unknown	TCP traffic detected without corresponding DNS query: 92.145.29.117
Source: unknown	TCP traffic detected without corresponding DNS query: 133.76.106.179
Source: unknown	TCP traffic detected without corresponding DNS query: 43.249.194.223
Source: unknown	TCP traffic detected without corresponding DNS query: 9.116.56.236
Source: unknown	TCP traffic detected without corresponding DNS query: 189.221.133.22
Source: unknown	TCP traffic detected without corresponding DNS query: 107.148.165.246
Source: unknown	TCP traffic detected without corresponding DNS query: 16.27.229.69
Source: unknown	TCP traffic detected without corresponding DNS query: 88.166.126.226
Source: unknown	TCP traffic detected without corresponding DNS query: 195.148.16.89

Source: ELF static info symbol of initial sample

.symtab present: no

Source: /tmp/oKukKTcgxV (PID: 5220)	SIGKILL sent: pid: 936, result: successful
Source: /tmp/oKukKTcgxV (PID: 5226)	SIGKILL sent: pid: 936, result: successful

Source: classification engine

Classification label: mal68.troj.lin@0/0@0/0

Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/491/fd
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/793/fd
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/772/fd
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/796/fd
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/774/fd
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/797/fd
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/777/fd
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/799/fd
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/658/fd
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/912/fd
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/759/fd
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/936/fd
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/918/fd
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/1/fd
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/761/fd
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/785/fd
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/884/fd
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/720/fd
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/721/fd
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/788/fd
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/789/fd
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/800/fd
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/801/fd
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/847/fd
Source: /tmp/oKukKTcgxV (PID: 5220)	File opened: /proc/904/fd
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/491/fd
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/793/fd
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/772/fd
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/796/fd
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/774/fd
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/797/fd
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/777/fd
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/799/fd
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/658/fd
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/912/fd
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/759/fd
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/936/fd
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/918/fd
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/1/fd
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/761/fd
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/785/fd
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/884/fd
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/720/fd
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/721/fd
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/788/fd
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/789/fd
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/800/fd
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/801/fd
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/847/fd
Source: /tmp/oKukKTcgxV (PID: 5226)	File opened: /proc/904/fd

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44276
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44280
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44282
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44286
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44292
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44294
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44296
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44302
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44304
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 44308
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48124
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48130
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48138
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48142
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48180
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48184
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48190
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48192
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48194
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 48202
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41660
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41662
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41666
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41672
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41678
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41692
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41708
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41716
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41718
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 41722
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60138
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60142
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60148
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60154
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60160
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60170
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60182
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60196
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60200
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 60206

Source: /tmp/oKukKTcgxV (PID: 5218)

Queries kernel information via 'uname':

Source: oKukKTcgxV, 5218.1.000000001b10963a.00000000395e0ea2.rw-.sdmp, oKukKTcgxV, 5220.1.000000001b10963a.00000000395e0ea2.rw-.sdmp, oKukKTcgxV, 5318.1.000000001b10963a.00000000395e0ea2.rw-.sdmp, oKukKTcgxV, 5335.1.000000001b10963a.00000000395e0ea2.rw-.sdmp, oKukKTcgxV, 5328.1.000000001b10963a.00000000395e0ea2.rw-.sdmp, oKukKTcgxV, 5221.1.000000001b10963a.00000000395e0ea2.rw-.sdmp, oKukKTcgxV, 5319.1.000000001b10963a.00000000395e0ea2.rw-.sdmp, oKukKTcgxV, 5227.1.000000001b10963a.00000000395e0ea2.rw-.sdmp	Binary or memory string: /usr/bin/qemu-m68k
Source: oKukKTcgxV, 5218.1.000000001b10963a.00000000395e0ea2.rw-.sdmp, oKukKTcgxV, 5220.1.000000001b10963a.00000000395e0ea2.rw-.sdmp, oKukKTcgxV, 5318.1.000000001b10963a.00000000395e0ea2.rw-.sdmp, oKukKTcgxV, 5335.1.000000001b10963a.00000000395e0ea2.rw-.sdmp, oKukKTcgxV, 5328.1.000000001b10963a.00000000395e0ea2.rw-.sdmp, oKukKTcgxV, 5221.1.000000001b10963a.00000000395e0ea2.rw-.sdmp, oKukKTcgxV, 5319.1.000000001b10963a.00000000395e0ea2.rw-.sdmp, oKukKTcgxV, 5227.1.000000001b10963a.00000000395e0ea2.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-m68k/tmp/oKukKTcgxVSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/oKukKTcgxV
Source: oKukKTcgxV, 5218.1.0000000046d61b23.0000000064d68725.rw-.sdmp, oKukKTcgxV, 5220.1.0000000046d61b23.0000000064d68725.rw-.sdmp, oKukKTcgxV, 5318.1.0000000046d61b23.0000000064d68725.rw-.sdmp, oKukKTcgxV, 5335.1.0000000046d61b23.0000000064d68725.rw-.sdmp, oKukKTcgxV, 5328.1.0000000046d61b23.0000000064d68725.rw-.sdmp, oKukKTcgxV, 5221.1.0000000046d61b23.0000000064d68725.rw-.sdmp, oKukKTcgxV, 5319.1.0000000046d61b23.0000000064d68725.rw-.sdmp, oKukKTcgxV, 5227.1.0000000046d61b23.0000000064d68725.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/m68k
Source: oKukKTcgxV, 5218.1.0000000046d61b23.0000000064d68725.rw-.sdmp, oKukKTcgxV, 5220.1.0000000046d61b23.0000000064d68725.rw-.sdmp, oKukKTcgxV, 5318.1.0000000046d61b23.0000000064d68725.rw-.sdmp, oKukKTcgxV, 5335.1.0000000046d61b23.0000000064d68725.rw-.sdmp, oKukKTcgxV, 5328.1.0000000046d61b23.0000000064d68725.rw-.sdmp, oKukKTcgxV, 5221.1.0000000046d61b23.0000000064d68725.rw-.sdmp, oKukKTcgxV, 5319.1.0000000046d61b23.0000000064d68725.rw-.sdmp, oKukKTcgxV, 5227.1.0000000046d61b23.0000000064d68725.rw-.sdmp	Binary or memory string: V!/etc/qemu-binfmt/m68k

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	11 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
oKukKTcgxV	49%	Virustotal		Browse
oKukKTcgxV	56%	ReversingLabs	Linux.Trojan.Mirai

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
87.178.105.232	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
201.238.73.157	unknown	Trinidad and Tobago	5639	TelecommunicationServicesofTrinidadandTobagoTT	false
98.45.237.215	unknown	United States	7922	COMCAST-7922US	false
61.238.120.145	unknown	Hong Kong	10103	HKBN-AS-APHKBroadbandNetworkLtdHK	false
87.90.192.199	unknown	France	5410	BOUYGTEL-ISPFR	false
24.163.73.173	unknown	United States	11426	TWC-11426-CAROLINASUS	false
208.7.208.76	unknown	United States	5778	CENTURYLINK-LEGACY-EMBARQ-RCMTUS	false
160.20.71.196	unknown	Brazil	266146	I9TelecomBR	false
220.242.193.145	unknown	China	54994	QUANTILNETWORKSUS	false
158.56.76.54	unknown	United States	32577	KROGERUS	false
162.138.241.67	unknown	United States	26229	US-SECUS	false
31.63.90.209	unknown	Poland	5617	TPNETPL	false
115.163.3.19	unknown	Japan	2527	SO-NETSo-netEntertainmentCorporationJP	false
254.126.128.179	unknown	Reserved	unknown	unknown	false
17.246.210.159	unknown	United States	714	APPLE-ENGINEERINGUS	false
125.138.168.93	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
188.98.111.150	unknown	Germany	3209	VODANETInternationalIP-BackboneofVodafoneDE	false
73.193.212.197	unknown	United States	7922	COMCAST-7922US	false
174.49.111.97	unknown	United States	7922	COMCAST-7922US	false
94.58.218.209	unknown	United Arab Emirates	5384	EMIRATES-INTERNETEmiratesInternetAE	false
253.206.239.115	unknown	Reserved	unknown	unknown	false
45.145.30.151	unknown	Turkey	197328	INETLTDTR	false
117.119.192.198	unknown	China	4847	CNIX-APChinaNetworksInter-ExchangeCN	false
1.168.57.177	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
17.34.22.45	unknown	United States	714	APPLE-ENGINEERINGUS	false
46.93.81.106	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
219.115.43.189	unknown	Japan	9617	ZAQJupiterTelecommunicationsCoLtdJP	false
124.67.174.18	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
4.166.177.80	unknown	United States	3356	LEVEL3US	false
73.115.126.227	unknown	United States	7922	COMCAST-7922US	false
46.202.131.132	unknown	Ukraine	6877	AS6877UA	false
20.3.3.115	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
120.139.14.125	unknown	Malaysia	38322	WEBE-MY-AS-APWEBEDIGITALSDNBHDMY	false
94.159.171.133	unknown	Israel	12400	PARTNER-ASIL	false
240.22.210.193	unknown	Reserved	unknown	unknown	false
78.67.219.214	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	false
18.208.17.53	unknown	United States	14618	AMAZON-AESUS	false
221.8.138.8	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
73.125.49.108	unknown	United States	7922	COMCAST-7922US	false
123.72.218.85	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
141.179.178.73	unknown	Saudi Arabia	197921	HBTFJO	false
162.129.150.111	unknown	United States	5723	JHUUS	false
179.29.8.245	unknown	Uruguay	6057	AdministracionNacionaldeTelecomunicacionesUY	false
203.239.210.179	unknown	Korea Republic of	9524	HMC-ASAutoEverSystemsCorpKR	false
59.216.130.118	unknown	China	2516	KDDIKDDICORPORATIONJP	false
105.181.97.103	unknown	Egypt	37069	MOBINILEG	false
48.142.166.164	unknown	United States	2686	ATGS-MMD-ASUS	false
177.180.36.51	unknown	Brazil	28573	CLAROSABR	false
69.17.129.60	unknown	Canada	812	ROGERS-COMMUNICATIONSCA	false
210.65.20.211	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
146.158.247.125	unknown	Spain	12479	UNI2-ASES	false
243.125.138.235	unknown	Reserved	unknown	unknown	false
198.15.24.95	unknown	unknown	53823	SMTAUS	false
172.89.139.42	unknown	United States	20001	TWC-20001-PACWESTUS	false
254.252.138.151	unknown	Reserved	unknown	unknown	false
103.29.16.191	unknown	China	4808	CHINA169-BJChinaUnicomBeijingProvinceNetworkCN	false
39.156.153.72	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
136.76.251.132	unknown	United States	60311	ONEFMCH	false
97.46.211.173	unknown	United States	22394	CELLCOUS	false
248.15.245.77	unknown	Reserved	unknown	unknown	false
196.233.130.49	unknown	Tunisia	37492	ORANGE-TN	false
151.179.132.97	unknown	United States	45025	EDN-ASUA	false
179.3.182.229	unknown	Chile	27836	SmartcomCL	false
203.82.90.135	unknown	Malaysia	10030	CELCOMNET-APCelcomAxiataBerhadMY	false
47.142.207.252	unknown	United States	5650	FRONTIER-FRTRUS	false
60.53.67.247	unknown	Malaysia	4788	TMNET-AS-APTMNetInternetServiceProviderMY	false
87.173.108.228	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
5.149.171.110	unknown	Ireland	199256	LTH-ASIE	false
156.55.53.187	unknown	United States	22146	LANDAMUS	false
36.208.187.89	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
34.225.88.139	unknown	United States	14618	AMAZON-AESUS	false
61.255.138.227	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
180.73.236.247	unknown	Malaysia	38322	WEBE-MY-AS-APWEBEDIGITALSDNBHDMY	false
24.138.125.167	unknown	Canada	5690	VIANET-NOCA	false
219.205.35.83	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
200.26.11.61	unknown	Argentina	10834	TelefonicadeArgentinaAR	false
114.195.229.235	unknown	Japan	9595	XEPHIONNTT-MECorporationJP	false
149.120.38.127	unknown	United States	174	COGENT-174US	false
88.61.50.242	unknown	Italy	3269	ASN-IBSNAZIT	false
80.236.69.38	unknown	France	21502	ASN-NUMERICABLEFR	false
182.101.83.74	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
152.204.126.179	unknown	Colombia	3816	COLOMBIATELECOMUNICACIONESSAESPCO	false
111.105.27.147	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
254.79.34.34	unknown	Reserved	unknown	unknown	false
255.108.231.35	unknown	Reserved	unknown	unknown	false
57.242.191.202	unknown	Belgium	2686	ATGS-MMD-ASUS	false
159.249.187.130	unknown	United States	29899	GEISINGERUS	false
63.175.2.187	unknown	United States	18618	WCENTRALNUS	false
47.148.105.15	unknown	United States	5650	FRONTIER-FRTRUS	false
35.45.255.30	unknown	United States	36375	UMICH-AS-5US	false
216.224.252.94	unknown	United States	39948	INIT-PHXUS	false
246.77.91.71	unknown	Reserved	unknown	unknown	false
197.231.80.80	unknown	Gabon	37582	ANINFGA	false
172.114.8.196	unknown	United States	20001	TWC-20001-PACWESTUS	false
222.198.149.227	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false
179.154.27.220	unknown	Brazil	28573	CLAROSABR	false
189.225.7.203	unknown	Mexico	8151	UninetSAdeCVMX	false
110.111.162.76	unknown	China	38341	CNNIC-HCENET-APHEXIEInformationtechnologyCoLtdCN	false
176.199.129.103	unknown	Germany	6830	LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding	false
47.136.192.219	unknown	United States	5650	FRONTIER-FRTRUS	false

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.211114798485053
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	oKukKTcgxV
File size:	52884
MD5:	5ca61982c3626a6a6317eb28b301c00b
SHA1:	ffde6d29d70c9a8471f0b0c86ca1438662183e8a
SHA256:	e1250ce224b971ff719ba2532e2de4b317aa90a9f82ddc18843d5d7f9a2b6b39
SHA512:	7b0c1320e4193773c89e2b0cdbdcc9ad3f4ff9fae34e4debf378ec1070ee141ee5a1cbc6029d727aa2b9c56df4fd932db2e4b942ecf35b5029ce4ac3e121994e
SSDEEP:	768:wjeK74YNIHchFK0076BhBQeJF/gFHw5/Sfu3We/npgajRJT2YOnI8FL:8FMYiHcHGVFwtSW3pRgajRJiYOI85
File Content Preview:	.ELF.......................D...4.........4. ...(.......................N...N...... ........T...T...T...p.......... .dt.Q............................NV..a....da....<N^NuNV..J9....f>"y...l QJ.g.X.#....lN."y...l QJ.f.A.....J.g.Hy...PN.X.........N^NuNV..N^NuN

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	MC68000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x80000144
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	52484
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x80000094	0x94	0x14	0x0	0x6	AX	2
.text	PROGBITS	0x800000a8	0xa8	0xc566	0x0	0x6	AX	4
.fini	PROGBITS	0x8000c60e	0xc60e	0xe	0x0	0x6	AX	2
.rodata	PROGBITS	0x8000c61c	0xc61c	0x532	0x0	0x2	A	2
.ctors	PROGBITS	0x8000eb54	0xcb54	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x8000eb5c	0xcb5c	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x8000eb68	0xcb68	0x15c	0x0	0x3	WA	4
.bss	NOBITS	0x8000ecc4	0xccc4	0x23c	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0xccc4	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x80000000	0x80000000	0xcb4e	0xcb4e	4.2405	0x5	R E	0x2000	.init .text .fini .rodata
LOAD	0xcb54	0x8000eb54	0x8000eb54	0x170	0x3ac	0.3184	0x6	RW	0x2000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 21, 2022 04:38:01.892458916 CET	59584	420	192.168.2.23	45.88.181.48
Jan 21, 2022 04:38:01.907440901 CET	24530	23	192.168.2.23	207.113.52.250
Jan 21, 2022 04:38:01.907754898 CET	24530	23	192.168.2.23	201.70.4.250
Jan 21, 2022 04:38:01.907766104 CET	24530	23	192.168.2.23	76.236.252.105
Jan 21, 2022 04:38:01.907855034 CET	24530	23	192.168.2.23	58.226.131.74
Jan 21, 2022 04:38:01.907876015 CET	24530	23	192.168.2.23	105.233.1.110
Jan 21, 2022 04:38:01.907881021 CET	24530	23	192.168.2.23	151.55.201.50
Jan 21, 2022 04:38:01.907928944 CET	24530	23	192.168.2.23	138.213.114.78
Jan 21, 2022 04:38:01.907980919 CET	24530	23	192.168.2.23	197.96.89.107
Jan 21, 2022 04:38:01.908004999 CET	24530	23	192.168.2.23	40.42.3.64
Jan 21, 2022 04:38:01.908006907 CET	24530	23	192.168.2.23	197.93.170.176
Jan 21, 2022 04:38:01.908010960 CET	24530	23	192.168.2.23	147.255.122.60
Jan 21, 2022 04:38:01.908011913 CET	24530	23	192.168.2.23	164.199.129.100
Jan 21, 2022 04:38:01.908030033 CET	24530	23	192.168.2.23	163.180.126.127
Jan 21, 2022 04:38:01.908030033 CET	24530	23	192.168.2.23	164.25.83.183
Jan 21, 2022 04:38:01.908037901 CET	24530	23	192.168.2.23	162.179.224.235
Jan 21, 2022 04:38:01.908039093 CET	24530	23	192.168.2.23	60.243.149.221
Jan 21, 2022 04:38:01.908041000 CET	24530	23	192.168.2.23	31.189.66.165
Jan 21, 2022 04:38:01.908065081 CET	24530	23	192.168.2.23	126.164.233.51
Jan 21, 2022 04:38:01.908068895 CET	24530	23	192.168.2.23	180.71.167.183
Jan 21, 2022 04:38:01.908077002 CET	24530	23	192.168.2.23	139.177.81.128
Jan 21, 2022 04:38:01.908077955 CET	24530	23	192.168.2.23	162.248.239.245
Jan 21, 2022 04:38:01.908082008 CET	24530	23	192.168.2.23	85.124.192.213
Jan 21, 2022 04:38:01.908097029 CET	24530	23	192.168.2.23	179.221.149.60
Jan 21, 2022 04:38:01.908107996 CET	24530	23	192.168.2.23	34.90.84.202
Jan 21, 2022 04:38:01.908202887 CET	24530	23	192.168.2.23	206.121.154.70
Jan 21, 2022 04:38:01.908221960 CET	24530	23	192.168.2.23	39.193.246.9
Jan 21, 2022 04:38:01.908224106 CET	24530	23	192.168.2.23	12.228.206.205
Jan 21, 2022 04:38:01.908227921 CET	24530	23	192.168.2.23	251.179.20.180
Jan 21, 2022 04:38:01.908231974 CET	24530	23	192.168.2.23	8.141.61.249
Jan 21, 2022 04:38:01.908233881 CET	24530	23	192.168.2.23	180.51.22.138
Jan 21, 2022 04:38:01.908235073 CET	24530	23	192.168.2.23	27.144.21.206
Jan 21, 2022 04:38:01.908238888 CET	24530	23	192.168.2.23	34.39.144.126
Jan 21, 2022 04:38:01.908241034 CET	24530	23	192.168.2.23	203.135.193.89
Jan 21, 2022 04:38:01.908242941 CET	24530	23	192.168.2.23	98.253.228.202
Jan 21, 2022 04:38:01.908243895 CET	24530	23	192.168.2.23	60.25.233.210
Jan 21, 2022 04:38:01.908251047 CET	24530	23	192.168.2.23	220.201.185.122
Jan 21, 2022 04:38:01.908252001 CET	24530	23	192.168.2.23	91.34.6.106
Jan 21, 2022 04:38:01.908262014 CET	24530	23	192.168.2.23	170.194.232.15
Jan 21, 2022 04:38:01.908267021 CET	24530	23	192.168.2.23	90.45.224.213
Jan 21, 2022 04:38:01.908267975 CET	24530	23	192.168.2.23	213.192.194.67
Jan 21, 2022 04:38:01.908269882 CET	24530	23	192.168.2.23	92.145.29.117
Jan 21, 2022 04:38:01.908272982 CET	24530	23	192.168.2.23	133.76.106.179
Jan 21, 2022 04:38:01.908277035 CET	24530	23	192.168.2.23	43.249.194.223
Jan 21, 2022 04:38:01.908277988 CET	24530	23	192.168.2.23	9.116.56.236
Jan 21, 2022 04:38:01.908281088 CET	24530	23	192.168.2.23	189.221.133.22
Jan 21, 2022 04:38:01.908283949 CET	24530	23	192.168.2.23	107.148.165.246
Jan 21, 2022 04:38:01.908291101 CET	24530	23	192.168.2.23	16.27.229.69
Jan 21, 2022 04:38:01.908297062 CET	24530	23	192.168.2.23	88.166.126.226
Jan 21, 2022 04:38:01.908299923 CET	24530	23	192.168.2.23	195.148.16.89
Jan 21, 2022 04:38:01.908315897 CET	24530	23	192.168.2.23	192.213.204.248
Jan 21, 2022 04:38:01.908329964 CET	24530	23	192.168.2.23	117.81.58.101
Jan 21, 2022 04:38:01.908333063 CET	24530	23	192.168.2.23	220.225.50.155
Jan 21, 2022 04:38:01.908397913 CET	24530	23	192.168.2.23	182.168.189.163
Jan 21, 2022 04:38:01.908397913 CET	24530	23	192.168.2.23	165.84.180.205
Jan 21, 2022 04:38:01.908400059 CET	24530	23	192.168.2.23	208.216.172.134
Jan 21, 2022 04:38:01.908402920 CET	24530	23	192.168.2.23	221.90.22.48
Jan 21, 2022 04:38:01.908415079 CET	24530	23	192.168.2.23	201.52.134.175
Jan 21, 2022 04:38:01.908416033 CET	24530	23	192.168.2.23	247.5.22.111
Jan 21, 2022 04:38:01.908533096 CET	24530	23	192.168.2.23	17.177.146.250
Jan 21, 2022 04:38:01.908533096 CET	24530	23	192.168.2.23	161.80.51.225
Jan 21, 2022 04:38:01.908536911 CET	24530	23	192.168.2.23	204.154.249.86
Jan 21, 2022 04:38:01.908540010 CET	24530	23	192.168.2.23	60.14.41.37
Jan 21, 2022 04:38:01.908543110 CET	24530	23	192.168.2.23	61.15.163.163
Jan 21, 2022 04:38:01.908541918 CET	24530	23	192.168.2.23	122.0.81.157
Jan 21, 2022 04:38:01.908554077 CET	24530	23	192.168.2.23	247.95.35.206
Jan 21, 2022 04:38:01.908557892 CET	24530	23	192.168.2.23	120.253.95.231
Jan 21, 2022 04:38:01.908555031 CET	24530	23	192.168.2.23	71.110.58.18
Jan 21, 2022 04:38:01.908569098 CET	24530	23	192.168.2.23	221.242.227.17
Jan 21, 2022 04:38:01.908571959 CET	24530	23	192.168.2.23	101.94.51.84
Jan 21, 2022 04:38:01.908574104 CET	24530	23	192.168.2.23	153.128.117.220
Jan 21, 2022 04:38:01.908576965 CET	24530	23	192.168.2.23	23.220.102.200
Jan 21, 2022 04:38:01.908584118 CET	24530	23	192.168.2.23	161.68.104.172
Jan 21, 2022 04:38:01.908588886 CET	24530	23	192.168.2.23	92.64.140.122
Jan 21, 2022 04:38:01.908588886 CET	24530	23	192.168.2.23	110.54.24.67
Jan 21, 2022 04:38:01.908591032 CET	24530	23	192.168.2.23	187.96.209.56
Jan 21, 2022 04:38:01.908610106 CET	24530	23	192.168.2.23	34.209.167.56
Jan 21, 2022 04:38:01.908611059 CET	24530	23	192.168.2.23	183.79.84.150
Jan 21, 2022 04:38:01.908612967 CET	24530	23	192.168.2.23	84.134.65.224
Jan 21, 2022 04:38:01.908615112 CET	24530	23	192.168.2.23	89.226.86.136
Jan 21, 2022 04:38:01.908620119 CET	24530	23	192.168.2.23	40.150.127.108
Jan 21, 2022 04:38:01.908627987 CET	24530	23	192.168.2.23	58.152.219.37
Jan 21, 2022 04:38:01.908627987 CET	24530	23	192.168.2.23	108.129.207.127
Jan 21, 2022 04:38:01.908631086 CET	24530	23	192.168.2.23	124.171.165.153
Jan 21, 2022 04:38:01.908634901 CET	24530	23	192.168.2.23	54.31.251.222
Jan 21, 2022 04:38:01.908634901 CET	24530	23	192.168.2.23	54.98.94.148
Jan 21, 2022 04:38:01.908641100 CET	24530	23	192.168.2.23	175.145.227.51
Jan 21, 2022 04:38:01.908646107 CET	24530	23	192.168.2.23	98.189.246.41
Jan 21, 2022 04:38:01.908646107 CET	24530	23	192.168.2.23	19.195.52.117
Jan 21, 2022 04:38:01.908651114 CET	24530	23	192.168.2.23	148.116.169.60
Jan 21, 2022 04:38:01.908660889 CET	24530	23	192.168.2.23	66.12.245.65
Jan 21, 2022 04:38:01.908677101 CET	24530	23	192.168.2.23	54.51.88.16
Jan 21, 2022 04:38:01.908689976 CET	24530	23	192.168.2.23	90.117.142.79
Jan 21, 2022 04:38:01.908691883 CET	24530	23	192.168.2.23	149.146.70.249
Jan 21, 2022 04:38:01.908709049 CET	24530	23	192.168.2.23	70.116.161.130
Jan 21, 2022 04:38:01.908710957 CET	24530	23	192.168.2.23	84.243.21.118
Jan 21, 2022 04:38:01.908715963 CET	24530	23	192.168.2.23	89.187.208.22
Jan 21, 2022 04:38:01.908716917 CET	24530	23	192.168.2.23	67.116.103.58
Jan 21, 2022 04:38:01.908730030 CET	24530	23	192.168.2.23	219.237.200.57
Jan 21, 2022 04:38:01.908734083 CET	24530	23	192.168.2.23	255.49.239.199

System Behavior

Analysis Process: oKukKTcgxV PID: 5218, Parent PID: 5114

General

Start time:	04:38:01
Start date:	21/01/2022
Path:	/tmp/oKukKTcgxV
Arguments:	/tmp/oKukKTcgxV
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Analysis Process: oKukKTcgxV PID: 5220, Parent PID: 5218

General

Start time:	04:38:01
Start date:	21/01/2022
Path:	/tmp/oKukKTcgxV
Arguments:	n/a
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Analysis Process: oKukKTcgxV PID: 5318, Parent PID: 5220

General

Start time:	04:40:53
Start date:	21/01/2022
Path:	/tmp/oKukKTcgxV
Arguments:	n/a
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Analysis Process: oKukKTcgxV PID: 5322, Parent PID: 5220

General

Start time:	04:40:53
Start date:	21/01/2022
Path:	/tmp/oKukKTcgxV
Arguments:	n/a
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Analysis Process: oKukKTcgxV PID: 5326, Parent PID: 5322

General

Start time:	04:40:53
Start date:	21/01/2022
Path:	/tmp/oKukKTcgxV
Arguments:	n/a
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Analysis Process: oKukKTcgxV PID: 5335, Parent PID: 5326

General

Start time:	04:40:58
Start date:	21/01/2022
Path:	/tmp/oKukKTcgxV
Arguments:	n/a
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Analysis Process: oKukKTcgxV PID: 5337, Parent PID: 5326

General

Start time:	04:40:58
Start date:	21/01/2022
Path:	/tmp/oKukKTcgxV
Arguments:	n/a
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Analysis Process: oKukKTcgxV PID: 5328, Parent PID: 5322

General

Start time:	04:40:53
Start date:	21/01/2022
Path:	/tmp/oKukKTcgxV
Arguments:	n/a
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Analysis Process: oKukKTcgxV PID: 5330, Parent PID: 5322

General

Start time:	04:40:53
Start date:	21/01/2022
Path:	/tmp/oKukKTcgxV
Arguments:	n/a
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Analysis Process: oKukKTcgxV PID: 5221, Parent PID: 5218

General

Start time:	04:38:01
Start date:	21/01/2022
Path:	/tmp/oKukKTcgxV
Arguments:	n/a
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Analysis Process: oKukKTcgxV PID: 5223, Parent PID: 5218

General

Start time:	04:38:01
Start date:	21/01/2022
Path:	/tmp/oKukKTcgxV
Arguments:	n/a
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Analysis Process: oKukKTcgxV PID: 5226, Parent PID: 5223

General

Start time:	04:38:01
Start date:	21/01/2022
Path:	/tmp/oKukKTcgxV
Arguments:	n/a
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Analysis Process: oKukKTcgxV PID: 5319, Parent PID: 5226

General

Start time:	04:40:53
Start date:	21/01/2022
Path:	/tmp/oKukKTcgxV
Arguments:	n/a
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Analysis Process: oKukKTcgxV PID: 5321, Parent PID: 5226

General

Start time:	04:40:53
Start date:	21/01/2022
Path:	/tmp/oKukKTcgxV
Arguments:	n/a
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Analysis Process: oKukKTcgxV PID: 5227, Parent PID: 5223

General

Start time:	04:38:01
Start date:	21/01/2022
Path:	/tmp/oKukKTcgxV
Arguments:	n/a
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Analysis Process: oKukKTcgxV PID: 5228, Parent PID: 5223

General

Start time:	04:38:01
Start date:	21/01/2022
Path:	/tmp/oKukKTcgxV
Arguments:	n/a
File size:	4463432 bytes
MD5 hash:	cd177594338c77b895ae27c33f8f86cc

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report oKukKTcgxV

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Runtime Messages

Process Tree

Yara Overview

PCAP (Network Traffic)

Jbx Signature Overview

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: oKukKTcgxV PID: 5218, Parent PID: 5114

General

Analysis Process: oKukKTcgxV PID: 5220, Parent PID: 5218

General

Analysis Process: oKukKTcgxV PID: 5318, Parent PID: 5220

General

Analysis Process: oKukKTcgxV PID: 5322, Parent PID: 5220

General

Analysis Process: oKukKTcgxV PID: 5326, Parent PID: 5322

General

Analysis Process: oKukKTcgxV PID: 5335, Parent PID: 5326

General

Analysis Process: oKukKTcgxV PID: 5337, Parent PID: 5326

General

Analysis Process: oKukKTcgxV PID: 5328, Parent PID: 5322

General

Analysis Process: oKukKTcgxV PID: 5330, Parent PID: 5322

General

Analysis Process: oKukKTcgxV PID: 5221, Parent PID: 5218

General

Analysis Process: oKukKTcgxV PID: 5223, Parent PID: 5218

General

Linux Analysis Report
oKukKTcgxV