Edit tour

Linux Analysis Report
apL.mips-20220121-0317

Overview

General Information

Sample Name:	apL.mips-20220121-0317
Analysis ID:	557427
MD5:	13e8ba90e042ab6bbc3821fad3cf1837
SHA1:	c7dbaf4b95ad104e35570b287b74f8375f1e5d01
SHA256:	37b5a5d9d5ab50a8dff649678a9f10f26a5923186c97d1a623902b68e795abdc
Infos:

Detection

Mirai

Score:	80
Range:	0 - 100
Whitelisted:	false

Signatures

Yara detected Mirai

Multi AV Scanner detection for submitted file

Opens /proc/net/* files useful for finding connected devices and routers

Deletes all firewall rules

Sample deletes itself

Sample is packed with UPX

Deletes security-related log files

Tries to stop the "iptables" service

Executes the "kill" or "pkill" command typically used to terminate processes

Sample contains only a LOAD segment without any section mappings

Reads CPU information from /sys indicative of miner or evasive malware

Yara signature match

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Executes the "systemctl" command used for controlling the systemd system and service manager

Deletes log files

Executes the "iptables" command used for managing IP filtering and manipulation

Executes commands using a shell command-line interpreter

Executes the "rm" command used to delete files or directories

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures

Static ELF header machine description suggests that the sample might not execute correctly on this machine

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	557427
Start date:	21.01.2022
Start time:	04:42:43
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	apL.mips-20220121-0317
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal80.spre.troj.evad.linMIPS-20220121-0317@0/2@0/0

Runtime Messages

Command:	/tmp/apL.mips-20220121-0317
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	Gosh your fatter then a tree
Standard Error:	Failed to stop iptables.service: Unit iptables.service not loaded. Failed to stop firewalld.service: Unit firewalld.service not loaded. sh: 1: history: not found

Process Tree

system is lnxubuntu20

apL.mips-20220121-0317 (PID: 5216, Parent: 5112, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/apL.mips-20220121-0317

apL.mips-20220121-0317 New Fork (PID: 5218, Parent: 5216)

apL.mips-20220121-0317 New Fork (PID: 5219, Parent: 5216)

apL.mips-20220121-0317 New Fork (PID: 5222, Parent: 5219)

apL.mips-20220121-0317 New Fork (PID: 5224, Parent: 5222)

sh (PID: 5224, Parent: 5222, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"

sh New Fork (PID: 5226, Parent: 5224)

rm (PID: 5226, Parent: 5224, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/apL.mips-20220121-0317 /tmp/config-err-dHT8bZ /tmp/dmesgtail.log /tmp/snap.lxd /tmp/ssh-hOQ5FjG2iVgO /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-c4RYFi /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-gKIF8e /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-gB0a9f /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-APWnLg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-IofUpj /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-AfPZzg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-x0xO0i /tmp/tmp.qtPPbjdkIb /tmp/tmp.tvSNtKHMtv /tmp/tmp.xTL7lOZ5v5 /tmp/vmware-root_721-4290559889 /var/backups /var/cache /var/crash /var/lib /var/local /var/lock /var/log /var/mail /var/metrics /var/opt /var/run /var/snap /var/spool /var/tmp /var/run/NetworkManager /var/run/acpid.pid /var/run/acpid.socket /var/run/apport.lock /var/run/avahi-daemon /var/run/blkid /var/run/cloud-init /var/run/console-setup /var/run/crond.pid /var/run/crond.reboot /var/run/cryptsetup /var/run/cups /var/run/dbus /var/run/dmeventd-client /var/run/dmeventd-server /var/run/gdm3 /var/run/gdm3.pid /var/run/initctl /var/run/initramfs /var/run/irqbalance /var/run/lock /var/run/log /var/run/lvm /var/run/mlocate.daily.lock /var/run/mono-xsp4 /var/run/mono-xsp4.pid /var/run/motd.d /var/run/mount /var/run/multipathd.pid /var/run/netns /var/run/network /var/run/screen /var/run/sendsigs.omit.d /var/run/shm /var/run/snapd /var/run/snapd-snap.socket /var/run/snapd.socket /var/run/speech-dispatcher /var/run/spice-vdagentd /var/run/sshd /var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/udisks2 /var/run/unattended-upgrades.lock /var/run/user /var/run/utmp /var/run/uuidd /var/run/vmware /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-J6Q1Te /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-srP90f /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-biJ0Gi /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-1jIxdj /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-llmWag /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-X16eHh /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-GpSnaf

apL.mips-20220121-0317 New Fork (PID: 5231, Parent: 5222)

sh (PID: 5231, Parent: 5222, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /var/log/wtmp"

sh New Fork (PID: 5233, Parent: 5231)

rm (PID: 5233, Parent: 5231, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /var/log/wtmp

apL.mips-20220121-0317 New Fork (PID: 5234, Parent: 5222)

sh (PID: 5234, Parent: 5222, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /tmp/*"

sh New Fork (PID: 5236, Parent: 5234)

rm (PID: 5236, Parent: 5234, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/*

apL.mips-20220121-0317 New Fork (PID: 5237, Parent: 5222)

sh (PID: 5237, Parent: 5222, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /bin/netstat"

sh New Fork (PID: 5239, Parent: 5237)

rm (PID: 5239, Parent: 5237, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /bin/netstat

apL.mips-20220121-0317 New Fork (PID: 5240, Parent: 5222)

sh (PID: 5240, Parent: 5222, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "iptables -F"

sh New Fork (PID: 5242, Parent: 5240)

iptables (PID: 5242, Parent: 5240, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -F

apL.mips-20220121-0317 New Fork (PID: 5246, Parent: 5222)

sh (PID: 5246, Parent: 5222, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 busybox"

sh New Fork (PID: 5248, Parent: 5246)

pkill (PID: 5248, Parent: 5246, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 busybox

apL.mips-20220121-0317 New Fork (PID: 5254, Parent: 5222)

sh (PID: 5254, Parent: 5222, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 perl"

sh New Fork (PID: 5256, Parent: 5254)

pkill (PID: 5256, Parent: 5254, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 perl

apL.mips-20220121-0317 New Fork (PID: 5258, Parent: 5222)

sh (PID: 5258, Parent: 5222, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 python"

sh New Fork (PID: 5260, Parent: 5258)

pkill (PID: 5260, Parent: 5258, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 python

apL.mips-20220121-0317 New Fork (PID: 5263, Parent: 5222)

sh (PID: 5263, Parent: 5222, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "service iptables stop"

sh New Fork (PID: 5265, Parent: 5263)

service (PID: 5265, Parent: 5263, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: service iptables stop

service New Fork (PID: 5266, Parent: 5265)

basename (PID: 5266, Parent: 5265, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5267, Parent: 5265)

basename (PID: 5267, Parent: 5265, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5268, Parent: 5265)

systemctl (PID: 5268, Parent: 5265, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl --quiet is-active multi-user.target

service New Fork (PID: 5269, Parent: 5265)

service New Fork (PID: 5270, Parent: 5269)

systemctl (PID: 5270, Parent: 5269, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl list-unit-files --full --type=socket

service New Fork (PID: 5271, Parent: 5269)

sed (PID: 5271, Parent: 5269, MD5: 885062561f66aa1d4af4c54b9e7cc81a) Arguments: sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p

systemctl (PID: 5265, Parent: 5263, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl stop iptables.service

apL.mips-20220121-0317 New Fork (PID: 5272, Parent: 5222)

sh (PID: 5272, Parent: 5222, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "/sbin/iptables -F; /sbin/iptables -X"

sh New Fork (PID: 5274, Parent: 5272)

iptables (PID: 5274, Parent: 5272, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: /sbin/iptables -F

sh New Fork (PID: 5275, Parent: 5272)

iptables (PID: 5275, Parent: 5272, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: /sbin/iptables -X

apL.mips-20220121-0317 New Fork (PID: 5276, Parent: 5222)

sh (PID: 5276, Parent: 5222, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "service firewalld stop"

sh New Fork (PID: 5278, Parent: 5276)

service (PID: 5278, Parent: 5276, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: service firewalld stop

service New Fork (PID: 5279, Parent: 5278)

basename (PID: 5279, Parent: 5278, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5280, Parent: 5278)

basename (PID: 5280, Parent: 5278, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5281, Parent: 5278)

systemctl (PID: 5281, Parent: 5278, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl --quiet is-active multi-user.target

service New Fork (PID: 5282, Parent: 5278)

service New Fork (PID: 5283, Parent: 5282)

systemctl (PID: 5283, Parent: 5282, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl list-unit-files --full --type=socket

service New Fork (PID: 5284, Parent: 5282)

sed (PID: 5284, Parent: 5282, MD5: 885062561f66aa1d4af4c54b9e7cc81a) Arguments: sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p

systemctl (PID: 5278, Parent: 5276, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl stop firewalld.service

apL.mips-20220121-0317 New Fork (PID: 5287, Parent: 5222)

sh (PID: 5287, Parent: 5222, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf ~/.bash_history"

sh New Fork (PID: 5289, Parent: 5287)

rm (PID: 5289, Parent: 5287, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /root/.bash_history

apL.mips-20220121-0317 New Fork (PID: 5290, Parent: 5222)

sh (PID: 5290, Parent: 5222, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "history -c"

dash New Fork (PID: 5294, Parent: 4331)

cat (PID: 5294, Parent: 4331, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /tmp/tmp.qtPPbjdkIb

dash New Fork (PID: 5295, Parent: 4331)

head (PID: 5295, Parent: 4331, MD5: fd96a67145172477dd57131396fc9608) Arguments: head -n 10

dash New Fork (PID: 5296, Parent: 4331)

tr (PID: 5296, Parent: 4331, MD5: fbd1402dd9f72d8ebfff00ce7c3a7bb5) Arguments: tr -d \\000-\\011\\013\\014\\016-\\037

dash New Fork (PID: 5297, Parent: 4331)

cut (PID: 5297, Parent: 4331, MD5: d8ed0ea8f22c0de0f8692d4d9f1759d3) Arguments: cut -c -80

dash New Fork (PID: 5298, Parent: 4331)

cat (PID: 5298, Parent: 4331, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /tmp/tmp.qtPPbjdkIb

dash New Fork (PID: 5299, Parent: 4331)

head (PID: 5299, Parent: 4331, MD5: fd96a67145172477dd57131396fc9608) Arguments: head -n 10

dash New Fork (PID: 5300, Parent: 4331)

tr (PID: 5300, Parent: 4331, MD5: fbd1402dd9f72d8ebfff00ce7c3a7bb5) Arguments: tr -d \\000-\\011\\013\\014\\016-\\037

dash New Fork (PID: 5301, Parent: 4331)

cut (PID: 5301, Parent: 4331, MD5: d8ed0ea8f22c0de0f8692d4d9f1759d3) Arguments: cut -c -80

dash New Fork (PID: 5302, Parent: 4331)

rm (PID: 5302, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.qtPPbjdkIb /tmp/tmp.tvSNtKHMtv /tmp/tmp.xTL7lOZ5v5

cleanup

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
apL.mips-20220121-0317	SUSP_ELF_LNX_UPX_Compressed_File	Detects a suspicious ELF binary with UPX compression	Florian Roth	0x8d28:$s1: PROT_EXEC\|PROT_WRITE failed. 0x8d97:$s2: $Id: UPX 0x8d48:$s3: $Info: This file is packed with the UPX executable packer

Memory Dumps

Source	Rule	Description	Author
5219.1.00000000f7f1692e.000000004729ffe7.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5216.1.00000000f7f1692e.000000004729ffe7.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5218.1.00000000f7f1692e.000000004729ffe7.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: apL.mips-20220121-0317	Virustotal: Detection: 27%			Perma Link
Source: apL.mips-20220121-0317	ReversingLabs: Detection: 25%

Source: /usr/bin/pkill (PID: 5248)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5260)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior

Source: unknown

HTTPS traffic detected: 54.171.230.55:443 -> 192.168.2.23:33608 version: TLS 1.2

Spreading

Opens /proc/net/* files useful for finding connected devices and routers

Source: /tmp/apL.mips-20220121-0317 (PID: 5216)

Opens: /proc/net/route

Jump to behavior

Networking

Deletes all firewall rules

Source: /bin/sh (PID: 5242)

Args: iptables -F

Jump to behavior

Tries to stop the "iptables" service

Source: /usr/sbin/service (PID: 5265)	Systemctl executable stopping iptables: /usr/sbin/systemctl -> systemctl stop iptables.service			Jump to behavior
Source: /usr/sbin/service (PID: 5265)	Systemctl executable stopping iptables: /usr/bin/systemctl -> systemctl stop iptables.service			Jump to behavior

Source: /bin/sh (PID: 5274)	Iptables executable: /sbin/iptables -> /sbin/iptables -F			Jump to behavior
Source: /bin/sh (PID: 5275)	Iptables executable: /sbin/iptables -> /sbin/iptables -X			Jump to behavior

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 33608
Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 33608 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 192.236.160.175
Source: unknown	TCP traffic detected without corresponding DNS query: 192.236.160.175
Source: unknown	TCP traffic detected without corresponding DNS query: 192.236.160.175
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 60.220.215.198
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 123.178.234.190
Source: unknown	TCP traffic detected without corresponding DNS query: 192.236.160.175
Source: unknown	TCP traffic detected without corresponding DNS query: 192.236.160.175
Source: unknown	TCP traffic detected without corresponding DNS query: 123.178.234.190
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 123.178.234.190
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 54.171.230.55
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 123.178.234.190
Source: unknown	TCP traffic detected without corresponding DNS query: 123.178.234.190
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 123.178.234.190
Source: unknown	TCP traffic detected without corresponding DNS query: 123.17.44.158
Source: unknown	TCP traffic detected without corresponding DNS query: 192.236.160.175
Source: unknown	TCP traffic detected without corresponding DNS query: 192.236.160.175
Source: unknown	TCP traffic detected without corresponding DNS query: 192.236.160.175
Source: unknown	TCP traffic detected without corresponding DNS query: 192.236.160.175
Source: unknown	TCP traffic detected without corresponding DNS query: 36.65.75.239
Source: unknown	TCP traffic detected without corresponding DNS query: 192.236.160.175
Source: unknown	TCP traffic detected without corresponding DNS query: 192.236.160.175

Source: apL.mips-20220121-0317

String found in binary or memory: http://upx.sf.net

Source: unknown

HTTPS traffic detected: 54.171.230.55:443 -> 192.168.2.23:33608 version: TLS 1.2

Source: LOAD without section mappings

Program segment: 0x100000

Source: apL.mips-20220121-0317, type: SAMPLE

Matched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4

Source: classification engine

Classification label: mal80.spre.troj.evad.linMIPS-20220121-0317@0/2@0/0

Data Obfuscation

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Persistence and Installation Behavior

Deletes all firewall rules

Source: /bin/sh (PID: 5242)

Args: iptables -F

Jump to behavior

Tries to stop the "iptables" service

Source: /usr/sbin/service (PID: 5265)	Systemctl executable stopping iptables: /usr/sbin/systemctl -> systemctl stop iptables.service			Jump to behavior
Source: /usr/sbin/service (PID: 5265)	Systemctl executable stopping iptables: /usr/bin/systemctl -> systemctl stop iptables.service			Jump to behavior

Source: /bin/sh (PID: 5248)	Pkill executable: /usr/bin/pkill -> pkill -9 busybox	Jump to behavior
Source: /bin/sh (PID: 5256)	Pkill executable: /usr/bin/pkill -> pkill -9 perl	Jump to behavior
Source: /bin/sh (PID: 5260)	Pkill executable: /usr/bin/pkill -> pkill -9 python	Jump to behavior

Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/5140/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/5140/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/1582/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/1582/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/3088/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/3088/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/230/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/230/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/110/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/110/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/231/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/231/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/111/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/111/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/232/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/232/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/1579/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/1579/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/112/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/112/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/233/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/233/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/1699/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/1699/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/113/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/113/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/234/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/234/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/1335/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/1335/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/1698/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/1698/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/114/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/114/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/235/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/235/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/1334/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/1334/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/1576/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/1576/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/2302/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/2302/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/115/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/115/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/236/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/236/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/116/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/116/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/237/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/237/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/117/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/117/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/118/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/118/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/910/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/910/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/119/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/119/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/912/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/912/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/10/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/10/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/2307/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/2307/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/11/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/11/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/918/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/918/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/12/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/12/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/13/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/13/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/14/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/14/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/5033/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/5033/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/15/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/15/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/16/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/16/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/17/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/17/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/18/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/18/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/1594/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/1594/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/120/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/120/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/121/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/121/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/1349/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/1349/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/1/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/1/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/122/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/122/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/243/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/243/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/123/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/123/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/2/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/2/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/124/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/124/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/3/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	File opened: /proc/3/cmdline	Jump to behavior

Source: /usr/sbin/service (PID: 5265)	Systemctl executable: /usr/bin/systemctl -> systemctl stop iptables.service	Jump to behavior
Source: /usr/sbin/service (PID: 5268)	Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target	Jump to behavior
Source: /usr/sbin/service (PID: 5270)	Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket	Jump to behavior
Source: /usr/sbin/service (PID: 5278)	Systemctl executable: /usr/bin/systemctl -> systemctl stop firewalld.service	Jump to behavior
Source: /usr/sbin/service (PID: 5281)	Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target	Jump to behavior
Source: /usr/sbin/service (PID: 5283)	Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket	Jump to behavior

Source: /bin/sh (PID: 5274)	Iptables executable: /sbin/iptables -> /sbin/iptables -F			Jump to behavior
Source: /bin/sh (PID: 5275)	Iptables executable: /sbin/iptables -> /sbin/iptables -X			Jump to behavior

Source: /tmp/apL.mips-20220121-0317 (PID: 5224)	Shell command executed: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"	Jump to behavior
Source: /tmp/apL.mips-20220121-0317 (PID: 5231)	Shell command executed: sh -c "rm -rf /var/log/wtmp"	Jump to behavior
Source: /tmp/apL.mips-20220121-0317 (PID: 5234)	Shell command executed: sh -c "rm -rf /tmp/*"	Jump to behavior
Source: /tmp/apL.mips-20220121-0317 (PID: 5237)	Shell command executed: sh -c "rm -rf /bin/netstat"	Jump to behavior
Source: /tmp/apL.mips-20220121-0317 (PID: 5240)	Shell command executed: sh -c "iptables -F"	Jump to behavior
Source: /tmp/apL.mips-20220121-0317 (PID: 5246)	Shell command executed: sh -c "pkill -9 busybox"	Jump to behavior
Source: /tmp/apL.mips-20220121-0317 (PID: 5254)	Shell command executed: sh -c "pkill -9 perl"	Jump to behavior
Source: /tmp/apL.mips-20220121-0317 (PID: 5258)	Shell command executed: sh -c "pkill -9 python"	Jump to behavior
Source: /tmp/apL.mips-20220121-0317 (PID: 5263)	Shell command executed: sh -c "service iptables stop"	Jump to behavior
Source: /tmp/apL.mips-20220121-0317 (PID: 5272)	Shell command executed: sh -c "/sbin/iptables -F; /sbin/iptables -X"	Jump to behavior
Source: /tmp/apL.mips-20220121-0317 (PID: 5276)	Shell command executed: sh -c "service firewalld stop"	Jump to behavior
Source: /tmp/apL.mips-20220121-0317 (PID: 5287)	Shell command executed: sh -c "rm -rf ~/.bash_history"	Jump to behavior
Source: /tmp/apL.mips-20220121-0317 (PID: 5290)	Shell command executed: sh -c "history -c"	Jump to behavior

Source: /bin/sh (PID: 5226)	Rm executable: /usr/bin/rm -> rm -rf /tmp/apL.mips-20220121-0317 /tmp/config-err-dHT8bZ /tmp/dmesgtail.log /tmp/snap.lxd /tmp/ssh-hOQ5FjG2iVgO /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-c4RYFi /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-gKIF8e /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-gB0a9f /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-APWnLg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-IofUpj /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-AfPZzg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-x0xO0i /tmp/tmp.qtPPbjdkIb /tmp/tmp.tvSNtKHMtv /tmp/tmp.xTL7lOZ5v5 /tmp/vmware-root_721-4290559889 /var/backups /var/cache /var/crash /var/lib /var/local /var/lock /var/log /var/mail /var/metrics /var/opt /var/run /var/snap /var/spool /var/tmp /var/run/NetworkManager /var/run/acpid.pid /var/run/acpid.socket /var/run/apport.lock /var/run/avahi-daemon /var/run/blkid /var/run/cloud-init /var/run/console-setup /var/run/crond.pid /var/run/crond.reboot /var/run/cryptsetup /var/run/cups /var/run/dbus /var/run/dmeventd-client /var/run/dmeventd-server /var/run/gdm3 /var/run/gdm3.pid /var/run/initctl /var/run/initramfs /var/run/irqbalance /var/run/lock /var/run/log /var/run/lvm /var/run/mlocate.daily.lock /var/run/mono-xsp4 /var/run/mono-xsp4.pid /var/run/motd.d /var/run/mount /var/run/multipathd.pid /var/run/netns /var/run/network /var/run/screen /var/run/sendsigs.omit.d /var/run/shm /var/run/snapd /var/run/snapd-snap.socket /var/run/snapd.socket /var/run/speech-dispatcher /var/run/spice-vdagentd /var/run/sshd /var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/udisks2 /var/run/unattended-upgrades.lock /var/run/user /var/run/utmp /var/run/uuidd /var/run/vmware /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-J6Q1Te /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-srP90f /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-biJ0Gi /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-1jIxdj /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-llmWag /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-X16eHh /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-GpSnaf	Jump to behavior
Source: /bin/sh (PID: 5233)	Rm executable: /usr/bin/rm -> rm -rf /var/log/wtmp	Jump to behavior
Source: /bin/sh (PID: 5236)	Rm executable: /usr/bin/rm -> rm -rf /tmp/*	Jump to behavior
Source: /bin/sh (PID: 5239)	Rm executable: /usr/bin/rm -> rm -rf /bin/netstat	Jump to behavior
Source: /bin/sh (PID: 5289)	Rm executable: /usr/bin/rm -> rm -rf /root/.bash_history	Jump to behavior
Source: /usr/bin/dash (PID: 5302)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.qtPPbjdkIb /tmp/tmp.tvSNtKHMtv /tmp/tmp.xTL7lOZ5v5	Jump to behavior

Source: submitted sample

Stderr: Failed to stop iptables.service: Unit iptables.service not loaded.Failed to stop firewalld.service: Unit firewalld.service not loaded.sh: 1: history: not found: exit code = 0

Source: /usr/sbin/service (PID: 5271)	Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p			Jump to behavior
Source: /usr/sbin/service (PID: 5284)	Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /usr/bin/rm (PID: 5226)

File: /tmp/apL.mips-20220121-0317

Jump to behavior

Malware Analysis System Evasion

Deletes security-related log files

Source: /usr/bin/rm (PID: 5233)

Truncated file: /var/log/wtmp

Jump to behavior

Source: /usr/bin/pkill (PID: 5248)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5256)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5260)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior

Source: /tmp/apL.mips-20220121-0317 (PID: 5216)

Queries kernel information via 'uname':

Jump to behavior

Source: /usr/bin/rm (PID: 5233)

Truncated file: /var/log/wtmp

Jump to behavior

Source: apL.mips-20220121-0317, 5216.1.00000000bdaea5af.00000000fc156366.rw-.sdmp, apL.mips-20220121-0317, 5218.1.00000000bdaea5af.00000000fc156366.rw-.sdmp, apL.mips-20220121-0317, 5219.1.00000000bdaea5af.00000000fc156366.rw-.sdmp	Binary or memory string: 5V!/etc/qemu-binfmt/mips
Source: apL.mips-20220121-0317, 5216.1.00000000e79fcff1.000000003a41f088.rw-.sdmp, apL.mips-20220121-0317, 5218.1.00000000e79fcff1.000000003a41f088.rw-.sdmp, apL.mips-20220121-0317, 5219.1.00000000e79fcff1.000000003a41f088.rw-.sdmp	Binary or memory string: :XYx86_64/usr/bin/qemu-mips/tmp/apL.mips-20220121-0317SUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/apL.mips-20220121-0317
Source: apL.mips-20220121-0317, 5216.1.00000000bdaea5af.00000000fc156366.rw-.sdmp, apL.mips-20220121-0317, 5218.1.00000000bdaea5af.00000000fc156366.rw-.sdmp, apL.mips-20220121-0317, 5219.1.00000000bdaea5af.00000000fc156366.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mips
Source: apL.mips-20220121-0317, 5216.1.00000000e79fcff1.000000003a41f088.rw-.sdmp, apL.mips-20220121-0317, 5218.1.00000000e79fcff1.000000003a41f088.rw-.sdmp, apL.mips-20220121-0317, 5219.1.00000000e79fcff1.000000003a41f088.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips
Source: apL.mips-20220121-0317, 5216.1.00000000e79fcff1.000000003a41f088.rw-.sdmp	Binary or memory string: 5V/tmp/qemu-open.JEqahA\
Source: apL.mips-20220121-0317, 5216.1.00000000e79fcff1.000000003a41f088.rw-.sdmp	Binary or memory string: /tmp/qemu-open.JEqahA

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: 5219.1.00000000f7f1692e.000000004729ffe7.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5216.1.00000000f7f1692e.000000004729ffe7.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5218.1.00000000f7f1692e.000000004729ffe7.r-x.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: 5219.1.00000000f7f1692e.000000004729ffe7.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5216.1.00000000f7f1692e.000000004729ffe7.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5218.1.00000000f7f1692e.000000004729ffe7.r-x.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Command and Scripting Interpreter	1 Systemd Service	1 Systemd Service	1 Disable or Modify Tools	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Scripting	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Scripting	LSASS Memory	1 Remote System Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	1 System Network Configuration Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Disable or Modify System Firewall	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	11 Indicator Removal on Host	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	11 File Deletion	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
apL.mips-20220121-0317	28%	Virustotal		Browse
apL.mips-20220121-0317	26%	ReversingLabs	Linux.Trojan.Gafgyt

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	apL.mips-20220121-0317	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
54.171.230.55	unknown	United States	16509	AMAZON-02US	false
123.178.234.190	unknown	China	4809	CHINATELECOM-CORE-WAN-CN2ChinaTelecomNextGenerationCarr	false
36.65.75.239	unknown	Indonesia	7713	TELKOMNET-AS-APPTTelekomunikasiIndonesiaID	false
192.236.160.175	unknown	United States	54290	HOSTWINDSUS	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
123.17.44.158	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
60.220.215.198	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
54.171.230.55	sofgiiKIp3	Get hash	malicious	Browse
	i686	Get hash	malicious	Browse
	sparc	Get hash	malicious	Browse
	uYtea.arc	Get hash	malicious	Browse
	uYtea.arm6	Get hash	malicious	Browse
	m-p.s-l.Sakura	Get hash	malicious	Browse
	x-3.2-.Sakura	Get hash	malicious	Browse
	gang123isgodloluaintgettingthesebinslikedammwtf.spc	Get hash	malicious	Browse
	x-3.2-.ISIS	Get hash	malicious	Browse
	sJjtE0SIUA	Get hash	malicious	Browse
	1m-i.p-s.ISIS	Get hash	malicious	Browse
	ei1GN1bm9j.bin	Get hash	malicious	Browse
	gigo.arm5	Get hash	malicious	Browse
	gigo.sparc	Get hash	malicious	Browse
	M3Ovz7vQJH	Get hash	malicious	Browse
	e2Sc66iXF4	Get hash	malicious	Browse
	urO2EDy6c5	Get hash	malicious	Browse
	7vGzpU7jE5	Get hash	malicious	Browse
	XOKr7xQo3V	Get hash	malicious	Browse
	6GtsIivBFH	Get hash	malicious	Browse
192.236.160.175	apL.mips-20220102-0451	Get hash	malicious	Browse
	apL.mips-20220101-2240	Get hash	malicious	Browse
	LlFJfMj8OG	Get hash	malicious	Browse
	arm7	Get hash	malicious	Browse
	apL.mips-20211225-0325	Get hash	malicious	Browse
	apL.mips	Get hash	malicious	Browse
109.202.202.202	sofgiiKIp3	Get hash	malicious	Browse
	3BEtt6iGtf	Get hash	malicious	Browse
	beamer.arm-20220121-0227	Get hash	malicious	Browse
	beamer.mpsl-20220121-0227	Get hash	malicious	Browse
	beamer.arm5-20220121-0227	Get hash	malicious	Browse
	beamer.arm7-20220121-0227	Get hash	malicious	Browse
	beamer.x86-20220121-0227	Get hash	malicious	Browse
	beamer.arm6-20220121-0228	Get hash	malicious	Browse
	beamer.mips-20220121-0228	Get hash	malicious	Browse
	znqCpAz1XA	Get hash	malicious	Browse
	QAJtrv7H4M	Get hash	malicious	Browse
	PycdMYCEkJ	Get hash	malicious	Browse
	o4c1odD4PQ	Get hash	malicious	Browse
	bEL2v6KXcf	Get hash	malicious	Browse
	hXNxVZAxgi	Get hash	malicious	Browse
	BAOtwtJ7xa	Get hash	malicious	Browse
	daddyl33t.mips	Get hash	malicious	Browse
	daddyl33t.x86	Get hash	malicious	Browse
	daddyl33t.arm5	Get hash	malicious	Browse
	x86_64unpacked	Get hash	malicious	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CHINATELECOM-CORE-WAN-CN2ChinaTelecomNextGenerationCarr	AjMi8Y9sWW	Get hash	malicious	Browse	182.149.128.122
	arm7	Get hash	malicious	Browse	117.38.62.174
	pZzW2ZDtRq	Get hash	malicious	Browse	122.225.201.190
	loligang.x86	Get hash	malicious	Browse	117.38.161.115
	Ioj3xaahaJ	Get hash	malicious	Browse	123.170.241.43
	HvEXgCpRA0	Get hash	malicious	Browse	123.178.148.10
	sys.exe	Get hash	malicious	Browse	123.179.113.245
	SecuriteInfo.com.Linux.Siggen.4016.19125.25276	Get hash	malicious	Browse	124.233.74.182
	85kOai8Kfs	Get hash	malicious	Browse	182.149.234.163
	CDU23XnxdQ	Get hash	malicious	Browse	122.225.196.212
	sora.x86-20211227-2350	Get hash	malicious	Browse	59.61.99.95
	kc7VCc7Qlj	Get hash	malicious	Browse	218.3.231.128
	x86	Get hash	malicious	Browse	123.178.124.84
	kwuUQTa6up	Get hash	malicious	Browse	121.59.45.208
	x86_64-20211225-0506	Get hash	malicious	Browse	123.172.138.250
	arm6-20211225-0506	Get hash	malicious	Browse	59.60.173.86
	Kv6ZLAm1qK	Get hash	malicious	Browse	123.179.192.29
	LrAy91VGnK	Get hash	malicious	Browse	117.39.238.24
	phantom.x86	Get hash	malicious	Browse	123.171.223.87
	38C6gV7JxB	Get hash	malicious	Browse	116.8.120.206
AMAZON-02US	ZFvtIZszMd	Get hash	malicious	Browse	13.238.47.38
	oTdXpH4hrI	Get hash	malicious	Browse	13.50.219.72
	QuSDT8cmP0	Get hash	malicious	Browse	108.130.186.163
	sofgiiKIp3	Get hash	malicious	Browse	54.171.230.55
	3BEtt6iGtf	Get hash	malicious	Browse	34.249.145.219
	L2BA5a7tEn.exe	Get hash	malicious	Browse	44.227.76.166
	beamer.arm6-20220121-0228	Get hash	malicious	Browse	34.249.145.219
	gyZb3APQT2.exe	Get hash	malicious	Browse	3.133.207.110
	QAJtrv7H4M	Get hash	malicious	Browse	34.249.145.219
	hXNxVZAxgi	Get hash	malicious	Browse	34.249.145.219
	daddyl33t.mips	Get hash	malicious	Browse	34.249.145.219
	daddyl33t.x86	Get hash	malicious	Browse	34.249.145.219
	daddyl33t.arm5	Get hash	malicious	Browse	34.249.145.219
	DHL Online Receipt.html	Get hash	malicious	Browse	143.204.98.6
	x86_64unpacked	Get hash	malicious	Browse	34.249.145.219
	bashirc.i686	Get hash	malicious	Browse	34.249.145.219
	bashirc.x86_64	Get hash	malicious	Browse	34.249.145.219
	i686	Get hash	malicious	Browse	54.171.230.55
	x86_64	Get hash	malicious	Browse	34.249.145.219
	V9b8ERFNFo.exe	Get hash	malicious	Browse	52.14.18.129
TELKOMNET-AS-APPTTelekomunikasiIndonesiaID	Y9uHYfBuu4	Get hash	malicious	Browse	180.254.186.124
	jKira.x86	Get hash	malicious	Browse	110.139.21.58
	XXdpoMjZ4x	Get hash	malicious	Browse	36.88.58.103
	x86	Get hash	malicious	Browse	180.241.233.157
	E6dQ2XkeME	Get hash	malicious	Browse	36.70.180.22
	wRdL20qd2B	Get hash	malicious	Browse	125.165.18.43
	KPT46qUKYK	Get hash	malicious	Browse	110.137.93.17
	FjewfQ97T2	Get hash	malicious	Browse	180.246.66.43
	x86	Get hash	malicious	Browse	36.94.43.27
	B5TPE3o67p	Get hash	malicious	Browse	36.95.69.55
	nPLk9q5glA	Get hash	malicious	Browse	104.111.33.148
	loligang.x86	Get hash	malicious	Browse	180.253.196.230
	pRqgU7RMXo	Get hash	malicious	Browse	36.95.189.202
	xs8ZDCjaun	Get hash	malicious	Browse	36.80.71.74
	XcAMMSO6Ty	Get hash	malicious	Browse	125.164.187.121
	qqoyGfNHbW	Get hash	malicious	Browse	118.96.77.167
	9AKqKIWIg2	Get hash	malicious	Browse	36.84.65.201
	sPSELsYNnr	Get hash	malicious	Browse	180.254.226.204
	x86	Get hash	malicious	Browse	36.86.237.196
	iJ8UIRhhuF	Get hash	malicious	Browse	36.87.49.243

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
fb4726d465c5f28b84cd6d14cedd13a7	x-3.2-.Sakura	Get hash	malicious	Browse	54.171.230.55
	x-3.2-.ISIS	Get hash	malicious	Browse	54.171.230.55
	sJjtE0SIUA	Get hash	malicious	Browse	54.171.230.55
	ei1GN1bm9j.bin	Get hash	malicious	Browse	54.171.230.55
	7vGzpU7jE5	Get hash	malicious	Browse	54.171.230.55
	3zrwbZxY4X	Get hash	malicious	Browse	54.171.230.55
	aNO8pyQqrd	Get hash	malicious	Browse	54.171.230.55
	file.sh	Get hash	malicious	Browse	54.171.230.55
	4M7eKBXgmP	Get hash	malicious	Browse	54.171.230.55
	0fxLXeIFzd	Get hash	malicious	Browse	54.171.230.55
	x86	Get hash	malicious	Browse	54.171.230.55
	zr2f3By45j	Get hash	malicious	Browse	54.171.230.55
	Umk7QJuGEg	Get hash	malicious	Browse	54.171.230.55
	mips	Get hash	malicious	Browse	54.171.230.55
	iudtNlTJnR	Get hash	malicious	Browse	54.171.230.55
	arm5	Get hash	malicious	Browse	54.171.230.55
	ePGimaCGMS	Get hash	malicious	Browse	54.171.230.55
	UszH4XGJBI	Get hash	malicious	Browse	54.171.230.55
	B5x6nHyB4V	Get hash	malicious	Browse	54.171.230.55
	x86	Get hash	malicious	Browse	54.171.230.55

Process:	/tmp/apL.mips-20220121-0317
File Type:	ASCII text
Category:	dropped
Size (bytes):	38
Entropy (8bit):	3.3918926446809334
Encrypted:	false
SSDEEP:	3:KkZRAkd:KaAu
MD5:	C7EA09D26E26605227076E0514A33038
SHA1:	C3F9736E9AF7BD0885578859A50B205C8FA5FC8E
SHA-256:	7E8AD76E0D200E93918CA2E93C99FF8ECD02071953BF1479819DB3AC0DBB6D07
SHA-512:	17D0088725EB9991E9EB82E8A3DE0878E45E6F394BBC2AD260AA59C786FF0AD565E145E21256425D1C0ABE15F3ECB402EBB0A6A5E1C2D5BA7A4D95EC93A2861F
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	nameserver 8.8.8.8.nameserver 8.8.4.4.

/tmp/qemu-open.JEqahA (deleted)

Download File

Process:	/tmp/apL.mips-20220121-0317
File Type:	ASCII text
Category:	dropped
Size (bytes):	230
Entropy (8bit):	3.709552666863289
Encrypted:	false
SSDEEP:	6:iekrEcvwAsE5KlwSd4pzKaV6Lpms/a/1VCxGF:ur+m5MwSdIKaV6L1adVRF
MD5:	2E667F43AE18CD1FE3C108641708A82C
SHA1:	12B90DE2DA0FBCFE66F3D6130905E56C8D6A68D3
SHA-256:	6F721492E7A337C5B498A8F55F5EB7AC745AFF716D0B5B08EFF2C1B6B250F983
SHA-512:	D2A0EE2509154EC1098994F38BE172F98F4150399C534A04D5C675D7C05630802225019F19344CC9070C576BC465A4FEB382AC7712DE6BF25E9244B54A9DB830
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	Iface.Destination.Gateway .Flags.RefCnt.Use.Metric.Mask..MTU.Window.IRTT .ens160.00000000.c0a80201.0003.0.0.0.00000000.0.0.0.ens160.c0a80200.00000000.0001.0.0.0.ffffff00.0.0.0.

Static File Info

General

File type:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy (8bit):	7.946793281986122
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	apL.mips-20220121-0317
File size:	46204
MD5:	13e8ba90e042ab6bbc3821fad3cf1837
SHA1:	c7dbaf4b95ad104e35570b287b74f8375f1e5d01
SHA256:	37b5a5d9d5ab50a8dff649678a9f10f26a5923186c97d1a623902b68e795abdc
SHA512:	ceb092fbdfd3ad39f6a49ee9dbf9d212ea7d3c9eec014dcc2bc5ba83bc6b1ab8f02965c453b1c076979c128011dfda8f12f32d6f4e363d7af8c4f951243a9cc7
SSDEEP:	768:r5FMs2rPZhkq92ZVHGWVLQttQwuHcIB085oYk6N50IwumgJgGlzDpbuR1JAnAtlZ:p2rd9CmKLstQwuYvYj7hw8VJuLaihT
File Content Preview:	.ELF.......................x...4.........4. ...(.........................................._\|.F_\|.F_\|....................UPX!.d.....................b.......?.E.h4...@b..) ..]..0..ap%d>.>y....\._......@.....g#`.....o2Z.....x.....-"...i..;%...GT..e1.3"......

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x108178
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	2
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Prog Interpreter	Section Mappings
LOAD	0x0	0x100000	0x100000	0x94bc	0x94bc	4.1385	0x5	R E	0x10000
LOAD	0x5f7c	0x465f7c	0x465f7c	0x0	0x0	0.0000	0x6	RW	0x10000

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 21, 2022 04:43:27.388259888 CET	42836	443	192.168.2.23	91.189.91.43
Jan 21, 2022 04:43:27.740784883 CET	56260	27152	192.168.2.23	192.236.160.175
Jan 21, 2022 04:43:27.777579069 CET	27152	56260	192.236.160.175	192.168.2.23
Jan 21, 2022 04:43:27.777770996 CET	56260	27152	192.168.2.23	192.236.160.175
Jan 21, 2022 04:43:27.778276920 CET	56260	27152	192.168.2.23	192.236.160.175
Jan 21, 2022 04:43:27.803800106 CET	27152	56260	192.236.160.175	192.168.2.23
Jan 21, 2022 04:43:28.156265020 CET	42516	80	192.168.2.23	109.202.202.202
Jan 21, 2022 04:43:40.443809032 CET	33608	443	192.168.2.23	54.171.230.55
Jan 21, 2022 04:43:40.504060030 CET	443	33608	54.171.230.55	192.168.2.23
Jan 21, 2022 04:43:41.433717012 CET	23	54484	60.220.215.198	192.168.2.23
Jan 21, 2022 04:43:41.433834076 CET	54484	23	192.168.2.23	60.220.215.198
Jan 21, 2022 04:43:42.491638899 CET	43928	443	192.168.2.23	91.189.91.42
Jan 21, 2022 04:43:43.660487890 CET	23	46370	123.178.234.190	192.168.2.23
Jan 21, 2022 04:43:43.660621881 CET	46370	23	192.168.2.23	123.178.234.190
Jan 21, 2022 04:43:45.621551991 CET	27152	56260	192.236.160.175	192.168.2.23
Jan 21, 2022 04:43:45.621700048 CET	56260	27152	192.168.2.23	192.236.160.175
Jan 21, 2022 04:43:45.647458076 CET	27152	56260	192.236.160.175	192.168.2.23
Jan 21, 2022 04:43:45.647593975 CET	56260	27152	192.168.2.23	192.236.160.175
Jan 21, 2022 04:43:50.340563059 CET	23	46508	123.178.234.190	192.168.2.23
Jan 21, 2022 04:43:50.340821028 CET	46508	23	192.168.2.23	123.178.234.190
Jan 21, 2022 04:43:54.779340982 CET	42836	443	192.168.2.23	91.189.91.43
Jan 21, 2022 04:43:55.714517117 CET	443	33608	54.171.230.55	192.168.2.23
Jan 21, 2022 04:43:55.714546919 CET	443	33608	54.171.230.55	192.168.2.23
Jan 21, 2022 04:43:55.714557886 CET	443	33608	54.171.230.55	192.168.2.23
Jan 21, 2022 04:43:55.714571953 CET	443	33608	54.171.230.55	192.168.2.23
Jan 21, 2022 04:43:55.714797974 CET	33608	443	192.168.2.23	54.171.230.55
Jan 21, 2022 04:43:55.714850903 CET	33608	443	192.168.2.23	54.171.230.55
Jan 21, 2022 04:43:55.714858055 CET	33608	443	192.168.2.23	54.171.230.55
Jan 21, 2022 04:43:55.715085983 CET	33608	443	192.168.2.23	54.171.230.55
Jan 21, 2022 04:43:55.715353966 CET	443	33608	54.171.230.55	192.168.2.23
Jan 21, 2022 04:43:55.715492964 CET	33608	443	192.168.2.23	54.171.230.55
Jan 21, 2022 04:43:55.717931032 CET	33608	443	192.168.2.23	54.171.230.55
Jan 21, 2022 04:43:55.775317907 CET	443	33608	54.171.230.55	192.168.2.23
Jan 21, 2022 04:43:55.939399004 CET	443	33608	54.171.230.55	192.168.2.23
Jan 21, 2022 04:43:55.939620018 CET	33608	443	192.168.2.23	54.171.230.55
Jan 21, 2022 04:43:55.940027952 CET	33608	443	192.168.2.23	54.171.230.55
Jan 21, 2022 04:43:56.002125025 CET	443	33608	54.171.230.55	192.168.2.23
Jan 21, 2022 04:43:56.019778013 CET	443	33608	54.171.230.55	192.168.2.23
Jan 21, 2022 04:43:56.019942999 CET	33608	443	192.168.2.23	54.171.230.55
Jan 21, 2022 04:43:56.022514105 CET	33608	443	192.168.2.23	54.171.230.55
Jan 21, 2022 04:43:56.105163097 CET	443	33608	54.171.230.55	192.168.2.23
Jan 21, 2022 04:43:56.459074020 CET	23	46656	123.178.234.190	192.168.2.23
Jan 21, 2022 04:43:56.459467888 CET	46656	23	192.168.2.23	123.178.234.190
Jan 21, 2022 04:43:58.099374056 CET	443	33608	54.171.230.55	192.168.2.23
Jan 21, 2022 04:43:58.099422932 CET	443	33608	54.171.230.55	192.168.2.23
Jan 21, 2022 04:43:58.099585056 CET	33608	443	192.168.2.23	54.171.230.55
Jan 21, 2022 04:43:58.099632025 CET	33608	443	192.168.2.23	54.171.230.55
Jan 21, 2022 04:43:58.875087976 CET	42516	80	192.168.2.23	109.202.202.202
Jan 21, 2022 04:44:13.660618067 CET	23	46370	123.178.234.190	192.168.2.23
Jan 21, 2022 04:44:13.660847902 CET	46370	23	192.168.2.23	123.178.234.190
Jan 21, 2022 04:44:20.340912104 CET	23	46508	123.178.234.190	192.168.2.23
Jan 21, 2022 04:44:20.341245890 CET	46508	23	192.168.2.23	123.178.234.190
Jan 21, 2022 04:44:23.450227976 CET	43928	443	192.168.2.23	91.189.91.42
Jan 21, 2022 04:44:26.460503101 CET	23	46656	123.178.234.190	192.168.2.23
Jan 21, 2022 04:44:26.460788965 CET	46656	23	192.168.2.23	123.178.234.190
Jan 21, 2022 04:44:30.784326077 CET	23	53046	123.17.44.158	192.168.2.23
Jan 21, 2022 04:44:30.784523964 CET	53046	23	192.168.2.23	123.17.44.158
Jan 21, 2022 04:44:45.650542021 CET	27152	56260	192.236.160.175	192.168.2.23
Jan 21, 2022 04:44:45.650983095 CET	56260	27152	192.168.2.23	192.236.160.175
Jan 21, 2022 04:44:45.676701069 CET	27152	56260	192.236.160.175	192.168.2.23
Jan 21, 2022 04:44:45.676911116 CET	56260	27152	192.168.2.23	192.236.160.175
Jan 21, 2022 04:45:45.679289103 CET	27152	56260	192.236.160.175	192.168.2.23
Jan 21, 2022 04:45:45.679570913 CET	56260	27152	192.168.2.23	192.236.160.175
Jan 21, 2022 04:45:45.705296993 CET	27152	56260	192.236.160.175	192.168.2.23
Jan 21, 2022 04:45:45.705430984 CET	56260	27152	192.168.2.23	192.236.160.175
Jan 21, 2022 04:46:24.381228924 CET	23	45588	36.65.75.239	192.168.2.23
Jan 21, 2022 04:46:24.381429911 CET	45588	23	192.168.2.23	36.65.75.239
Jan 21, 2022 04:46:45.701894999 CET	27152	56260	192.236.160.175	192.168.2.23
Jan 21, 2022 04:46:45.702198029 CET	56260	27152	192.168.2.23	192.236.160.175
Jan 21, 2022 04:46:45.727813005 CET	27152	56260	192.236.160.175	192.168.2.23
Jan 21, 2022 04:46:45.727952957 CET	56260	27152	192.168.2.23	192.236.160.175

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jan 21, 2022 04:43:55.715353966 CET	54.171.230.55	443	192.168.2.23	33608	CN=motd.ubuntu.com CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US	CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Mon Nov 22 12:20:38 CET 2021 Fri Sep 04 02:00:00 CEST 2020 Wed Jan 20 20:14:03 CET 2021	Sun Feb 20 12:20:37 CET 2022 Mon Sep 15 18:00:00 CEST 2025 Mon Sep 30 20:14:03 CEST 2024	771,4866-4867-4865-49196-49200-163-159-52393-52392-52394-49327-49325-49315-49311-49245-49249-49239-49235-49195-49199-162-158-49326-49324-49314-49310-49244-49248-49238-49234-49188-49192-107-106-49267-49271-196-195-49187-49191-103-64-49266-49270-190-189-49162-49172-57-56-136-135-49161-49171-51-50-69-68-157-49313-49309-49233-156-49312-49308-49232-61-192-60-186-53-132-47-65-255,0-11-10-35-22-23-13-43-45-51,29-23-30-25-24,0-1-2	fb4726d465c5f28b84cd6d14cedd13a7
					CN=R3, O=Let's Encrypt, C=US	CN=ISRG Root X1, O=Internet Security Research Group, C=US	Fri Sep 04 02:00:00 CEST 2020	Mon Sep 15 18:00:00 CEST 2025
					CN=ISRG Root X1, O=Internet Security Research Group, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Jan 20 20:14:03 CET 2021	Mon Sep 30 20:14:03 CEST 2024

System Behavior

Analysis Process: apL.mips-20220121-0317 PID: 5216, Parent PID: 5112

General

Start time:	04:43:26
Start date:	21/01/2022
Path:	/tmp/apL.mips-20220121-0317
Arguments:	/tmp/apL.mips-20220121-0317
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time:	04:43:27
Start date:	21/01/2022
Path:	/tmp/apL.mips-20220121-0317
Arguments:	n/a
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time:	04:43:27
Start date:	21/01/2022
Path:	/tmp/apL.mips-20220121-0317
Arguments:	n/a
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time:	04:43:27
Start date:	21/01/2022
Path:	/tmp/apL.mips-20220121-0317
Arguments:	n/a
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time:	04:43:27
Start date:	21/01/2022
Path:	/tmp/apL.mips-20220121-0317
Arguments:	n/a
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time:	04:43:27
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:27
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:27
Start date:	21/01/2022
Path:	/usr/bin/rm
Arguments:	rm -rf /tmp/apL.mips-20220121-0317 /tmp/config-err-dHT8bZ /tmp/dmesgtail.log /tmp/snap.lxd /tmp/ssh-hOQ5FjG2iVgO /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-c4RYFi /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-gKIF8e /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-gB0a9f /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-APWnLg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-IofUpj /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-AfPZzg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-x0xO0i /tmp/tmp.qtPPbjdkIb /tmp/tmp.tvSNtKHMtv /tmp/tmp.xTL7lOZ5v5 /tmp/vmware-root_721-4290559889 /var/backups /var/cache /var/crash /var/lib /var/local /var/lock /var/log /var/mail /var/metrics /var/opt /var/run /var/snap /var/spool /var/tmp /var/run/NetworkManager /var/run/acpid.pid /var/run/acpid.socket /var/run/apport.lock /var/run/avahi-daemon /var/run/blkid /var/run/cloud-init /var/run/console-setup /var/run/crond.pid /var/run/crond.reboot /var/run/cryptsetup /var/run/cups /var/run/dbus /var/run/dmeventd-client /var/run/dmeventd-server /var/run/gdm3 /var/run/gdm3.pid /var/run/initctl /var/run/initramfs /var/run/irqbalance /var/run/lock /var/run/log /var/run/lvm /var/run/mlocate.daily.lock /var/run/mono-xsp4 /var/run/mono-xsp4.pid /var/run/motd.d /var/run/mount /var/run/multipathd.pid /var/run/netns /var/run/network /var/run/screen /var/run/sendsigs.omit.d /var/run/shm /var/run/snapd /var/run/snapd-snap.socket /var/run/snapd.socket /var/run/speech-dispatcher /var/run/spice-vdagentd /var/run/sshd /var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/udisks2 /var/run/unattended-upgrades.lock /var/run/user /var/run/utmp /var/run/uuidd /var/run/vmware /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-J6Q1Te /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-srP90f /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-biJ0Gi /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-1jIxdj /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-llmWag /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-X16eHh /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-GpSnaf
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Start time:	04:43:35
Start date:	21/01/2022
Path:	/tmp/apL.mips-20220121-0317
Arguments:	n/a
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time:	04:43:35
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	sh -c "rm -rf /var/log/wtmp"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:35
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:35
Start date:	21/01/2022
Path:	/usr/bin/rm
Arguments:	rm -rf /var/log/wtmp
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Start time:	04:43:35
Start date:	21/01/2022
Path:	/tmp/apL.mips-20220121-0317
Arguments:	n/a
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time:	04:43:35
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	sh -c "rm -rf /tmp/*"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:35
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:35
Start date:	21/01/2022
Path:	/usr/bin/rm
Arguments:	rm -rf /tmp/*
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Start time:	04:43:35
Start date:	21/01/2022
Path:	/tmp/apL.mips-20220121-0317
Arguments:	n/a
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time:	04:43:35
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	sh -c "rm -rf /bin/netstat"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:35
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:35
Start date:	21/01/2022
Path:	/usr/bin/rm
Arguments:	rm -rf /bin/netstat
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Start time:	04:43:35
Start date:	21/01/2022
Path:	/tmp/apL.mips-20220121-0317
Arguments:	n/a
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time:	04:43:35
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	sh -c "iptables -F"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:35
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:35
Start date:	21/01/2022
Path:	/usr/sbin/iptables
Arguments:	iptables -F
File size:	99296 bytes
MD5 hash:	1ab05fef765b6342cdfadaa5275b33af

Start time:	04:43:35
Start date:	21/01/2022
Path:	/tmp/apL.mips-20220121-0317
Arguments:	n/a
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time:	04:43:35
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	sh -c "pkill -9 busybox"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:35
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:35
Start date:	21/01/2022
Path:	/usr/bin/pkill
Arguments:	pkill -9 busybox
File size:	30968 bytes
MD5 hash:	fa96a75a08109d8842e4865b2907d51f

Start time:	04:43:37
Start date:	21/01/2022
Path:	/tmp/apL.mips-20220121-0317
Arguments:	n/a
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time:	04:43:37
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	sh -c "pkill -9 perl"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:38
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:38
Start date:	21/01/2022
Path:	/usr/bin/pkill
Arguments:	pkill -9 perl
File size:	30968 bytes
MD5 hash:	fa96a75a08109d8842e4865b2907d51f

Start time:	04:43:40
Start date:	21/01/2022
Path:	/tmp/apL.mips-20220121-0317
Arguments:	n/a
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time:	04:43:40
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	sh -c "pkill -9 python"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:40
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:40
Start date:	21/01/2022
Path:	/usr/bin/pkill
Arguments:	pkill -9 python
File size:	30968 bytes
MD5 hash:	fa96a75a08109d8842e4865b2907d51f

Start time:	04:43:42
Start date:	21/01/2022
Path:	/tmp/apL.mips-20220121-0317
Arguments:	n/a
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time:	04:43:42
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	sh -c "service iptables stop"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:42
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:42
Start date:	21/01/2022
Path:	/usr/sbin/service
Arguments:	service iptables stop
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:42
Start date:	21/01/2022
Path:	/usr/sbin/service
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:42
Start date:	21/01/2022
Path:	/usr/bin/basename
Arguments:	basename /usr/sbin/service
File size:	39256 bytes
MD5 hash:	3283660e59f128df18bec9b96fbd4d41

Start time:	04:43:42
Start date:	21/01/2022
Path:	/usr/sbin/service
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:42
Start date:	21/01/2022
Path:	/usr/bin/basename
Arguments:	basename /usr/sbin/service
File size:	39256 bytes
MD5 hash:	3283660e59f128df18bec9b96fbd4d41

Start time:	04:43:42
Start date:	21/01/2022
Path:	/usr/sbin/service
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:42
Start date:	21/01/2022
Path:	/usr/bin/systemctl
Arguments:	systemctl --quiet is-active multi-user.target
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Start time:	04:43:42
Start date:	21/01/2022
Path:	/usr/sbin/service
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:42
Start date:	21/01/2022
Path:	/usr/sbin/service
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:42
Start date:	21/01/2022
Path:	/usr/bin/systemctl
Arguments:	systemctl list-unit-files --full --type=socket
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Start time:	04:43:42
Start date:	21/01/2022
Path:	/usr/sbin/service
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:42
Start date:	21/01/2022
Path:	/usr/bin/sed
Arguments:	sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p
File size:	121288 bytes
MD5 hash:	885062561f66aa1d4af4c54b9e7cc81a

Start time:	04:43:44
Start date:	21/01/2022
Path:	/usr/bin/systemctl
Arguments:	systemctl stop iptables.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Start time:	04:43:44
Start date:	21/01/2022
Path:	/tmp/apL.mips-20220121-0317
Arguments:	n/a
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time:	04:43:44
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	sh -c "/sbin/iptables -F; /sbin/iptables -X"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:44
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:44
Start date:	21/01/2022
Path:	/sbin/iptables
Arguments:	/sbin/iptables -F
File size:	99296 bytes
MD5 hash:	1ab05fef765b6342cdfadaa5275b33af

Start time:	04:43:44
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:44
Start date:	21/01/2022
Path:	/sbin/iptables
Arguments:	/sbin/iptables -X
File size:	99296 bytes
MD5 hash:	1ab05fef765b6342cdfadaa5275b33af

Start time:	04:43:45
Start date:	21/01/2022
Path:	/tmp/apL.mips-20220121-0317
Arguments:	n/a
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time:	04:43:45
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	sh -c "service firewalld stop"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:45
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:45
Start date:	21/01/2022
Path:	/usr/sbin/service
Arguments:	service firewalld stop
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:45
Start date:	21/01/2022
Path:	/usr/sbin/service
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:45
Start date:	21/01/2022
Path:	/usr/bin/basename
Arguments:	basename /usr/sbin/service
File size:	39256 bytes
MD5 hash:	3283660e59f128df18bec9b96fbd4d41

Start time:	04:43:45
Start date:	21/01/2022
Path:	/usr/sbin/service
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:45
Start date:	21/01/2022
Path:	/usr/bin/basename
Arguments:	basename /usr/sbin/service
File size:	39256 bytes
MD5 hash:	3283660e59f128df18bec9b96fbd4d41

Start time:	04:43:45
Start date:	21/01/2022
Path:	/usr/sbin/service
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:45
Start date:	21/01/2022
Path:	/usr/bin/systemctl
Arguments:	systemctl --quiet is-active multi-user.target
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Start time:	04:43:45
Start date:	21/01/2022
Path:	/usr/sbin/service
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:45
Start date:	21/01/2022
Path:	/usr/sbin/service
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:45
Start date:	21/01/2022
Path:	/usr/bin/systemctl
Arguments:	systemctl list-unit-files --full --type=socket
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Start time:	04:43:45
Start date:	21/01/2022
Path:	/usr/sbin/service
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:45
Start date:	21/01/2022
Path:	/usr/bin/sed
Arguments:	sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p
File size:	121288 bytes
MD5 hash:	885062561f66aa1d4af4c54b9e7cc81a

Start time:	04:43:48
Start date:	21/01/2022
Path:	/usr/bin/systemctl
Arguments:	systemctl stop firewalld.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Start time:	04:43:48
Start date:	21/01/2022
Path:	/tmp/apL.mips-20220121-0317
Arguments:	n/a
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time:	04:43:48
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	sh -c "rm -rf ~/.bash_history"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:48
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:48
Start date:	21/01/2022
Path:	/usr/bin/rm
Arguments:	rm -rf /root/.bash_history
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Start time:	04:43:48
Start date:	21/01/2022
Path:	/tmp/apL.mips-20220121-0317
Arguments:	n/a
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time:	04:43:48
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	sh -c "history -c"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:55
Start date:	21/01/2022
Path:	/usr/bin/dash
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:55
Start date:	21/01/2022
Path:	/usr/bin/cat
Arguments:	cat /tmp/tmp.qtPPbjdkIb
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Start time:	04:43:55
Start date:	21/01/2022
Path:	/usr/bin/dash
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:55
Start date:	21/01/2022
Path:	/usr/bin/head
Arguments:	head -n 10
File size:	47480 bytes
MD5 hash:	fd96a67145172477dd57131396fc9608

Start time:	04:43:55
Start date:	21/01/2022
Path:	/usr/bin/dash
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:55
Start date:	21/01/2022
Path:	/usr/bin/tr
Arguments:	tr -d \\000-\\011\\013\\014\\016-\\037
File size:	51544 bytes
MD5 hash:	fbd1402dd9f72d8ebfff00ce7c3a7bb5

Start time:	04:43:55
Start date:	21/01/2022
Path:	/usr/bin/dash
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:55
Start date:	21/01/2022
Path:	/usr/bin/cut
Arguments:	cut -c -80
File size:	47480 bytes
MD5 hash:	d8ed0ea8f22c0de0f8692d4d9f1759d3

Start time:	04:43:55
Start date:	21/01/2022
Path:	/usr/bin/dash
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:55
Start date:	21/01/2022
Path:	/usr/bin/cat
Arguments:	cat /tmp/tmp.qtPPbjdkIb
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Start time:	04:43:55
Start date:	21/01/2022
Path:	/usr/bin/dash
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:55
Start date:	21/01/2022
Path:	/usr/bin/head
Arguments:	head -n 10
File size:	47480 bytes
MD5 hash:	fd96a67145172477dd57131396fc9608

Start time:	04:43:55
Start date:	21/01/2022
Path:	/usr/bin/dash
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:55
Start date:	21/01/2022
Path:	/usr/bin/tr
Arguments:	tr -d \\000-\\011\\013\\014\\016-\\037
File size:	51544 bytes
MD5 hash:	fbd1402dd9f72d8ebfff00ce7c3a7bb5

Start time:	04:43:55
Start date:	21/01/2022
Path:	/usr/bin/dash
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:55
Start date:	21/01/2022
Path:	/usr/bin/cut
Arguments:	cut -c -80
File size:	47480 bytes
MD5 hash:	d8ed0ea8f22c0de0f8692d4d9f1759d3

Start time:	04:43:55
Start date:	21/01/2022
Path:	/usr/bin/dash
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:43:55
Start date:	21/01/2022
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.qtPPbjdkIb /tmp/tmp.tvSNtKHMtv /tmp/tmp.xTL7lOZ5v5
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. Locations and format of logs are platform or product-specific, however standard operating system logs are captured as Windows events or Linux/macOS files such as Bash History and /var/log/*.
Tactics:	Defense Evasion
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report apL.mips-20220121-0317

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Runtime Messages

Process Tree

Yara Overview

Initial Sample

Memory Dumps

Jbx Signature Overview

AV Detection

Bitcoin Miner

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/run/systemd/resolve/stub-resolv.conf

/tmp/qemu-open.JEqahA (deleted)

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

HTTPS Packets

System Behavior

Analysis Process: apL.mips-20220121-0317 PID: 5216, Parent PID: 5112

General

Chronological Activities

Analysis Process: apL.mips-20220121-0317 PID: 5218, Parent PID: 5216

General

Chronological Activities

Analysis Process: apL.mips-20220121-0317 PID: 5219, Parent PID: 5216

General

Chronological Activities

Analysis Process: apL.mips-20220121-0317 PID: 5222, Parent PID: 5219

General

Chronological Activities

Analysis Process: apL.mips-20220121-0317 PID: 5224, Parent PID: 5222

General

Chronological Activities

Linux Analysis Report
apL.mips-20220121-0317