Edit tour

Linux Analysis Report
arm

Overview

General Information

Sample Name:	arm
Analysis ID:	557442
MD5:	c8eac6c41bd5f6ec5a65524142f340e0
SHA1:	ae41cee628bdacfe7dd71dd1e4ab90e71a9d0a86
SHA256:	b916d6f9d2756f35b510f1e89cf54a3601b3aafdba2a506cd9e5254e0dade88e
Tags:	Mirai
Infos:

Detection

Mirai Moobot

Score:	100
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Mirai

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Moobot

Sets full permissions to files and/or directories

Yara signature match

Executes the "mkdir" command used to create folders

Uses the "uname" system call to query kernel version information (possible evasion)

Executes the "chmod" command used to modify permissions

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Sample has stripped symbol table

Sample tries to set the executable flag

Executes commands using a shell command-line interpreter

Executes the "rm" command used to delete files or directories

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Classification

Analysis Advice

All HTTP servers contacted by the sample do not answer. Likely the sample is an old dropper which does no longer work

Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures

Static ELF header machine description suggests that the sample might not execute correctly on this machine

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	557442
Start date:	21.01.2022
Start time:	06:00:31
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 0s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	arm
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal100.troj.lin@0/0@1/0

Warnings

Report size exceeded maximum capacity and may have missing network information.
TCP Packets have been reduced to 100

Runtime Messages

Command:	/tmp/arm
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	qazwsxedc
Standard Error:

Process Tree

system is lnxubuntu20

arm (PID: 5201, Parent: 5115, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/arm

arm New Fork (PID: 5223, Parent: 5201)

sh (PID: 5223, Parent: 5201, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf bin/systemd && mkdir bin; >bin/systemd && mv /tmp/arm bin/systemd; chmod 777 bin/systemd"

sh New Fork (PID: 5225, Parent: 5223)

rm (PID: 5225, Parent: 5223, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf bin/systemd

sh New Fork (PID: 5226, Parent: 5223)

mkdir (PID: 5226, Parent: 5223, MD5: 088c9d1df5a28ed16c726eca15964cb7) Arguments: mkdir bin

sh New Fork (PID: 5227, Parent: 5223)

mv (PID: 5227, Parent: 5223, MD5: 504f0590fa482d4da070a702260e3716) Arguments: mv /tmp/arm bin/systemd

sh New Fork (PID: 5228, Parent: 5223)

chmod (PID: 5228, Parent: 5223, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod 777 bin/systemd

arm New Fork (PID: 5229, Parent: 5201)

arm New Fork (PID: 5231, Parent: 5229)

cleanup

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
arm	Mirai_Botnet_Malware	Detects Mirai Botnet Malware	Florian Roth	0x12be8:$x1: POST /cdn-cgi/ 0x12168:$x3: /dev/watchdog 0x122b4:$s1: LCOGQGPTGP
arm	MAL_ELF_LNX_Mirai_Oct10_2	Detects ELF malware Mirai related	Florian Roth	0x12be8:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
arm	JoeSecurity_Moobot	Yara detected Moobot	Joe Security
arm	JoeSecurity_Mirai_5	Yara detected Mirai	Joe Security
arm	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
5201.1.000000002e6ad643.0000000062dfdce7.r-x.sdmp	Mirai_Botnet_Malware	Detects Mirai Botnet Malware	Florian Roth	0x12be8:$x1: POST /cdn-cgi/ 0x12168:$x3: /dev/watchdog 0x122b4:$s1: LCOGQGPTGP
5201.1.000000002e6ad643.0000000062dfdce7.r-x.sdmp	MAL_ELF_LNX_Mirai_Oct10_2	Detects ELF malware Mirai related	Florian Roth	0x12be8:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
5201.1.000000002e6ad643.0000000062dfdce7.r-x.sdmp	JoeSecurity_Moobot	Yara detected Moobot	Joe Security
5201.1.000000002e6ad643.0000000062dfdce7.r-x.sdmp	JoeSecurity_Mirai_5	Yara detected Mirai	Joe Security
5201.1.000000002e6ad643.0000000062dfdce7.r-x.sdmp	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
Process Memory Space: arm PID: 5201	JoeSecurity_Moobot	Yara detected Moobot	Joe Security
Click to see the 1 entries

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: arm

Avira: detected

Multi AV Scanner detection for submitted file

Source: arm	Virustotal: Detection: 39%			Perma Link
Source: arm	ReversingLabs: Detection: 50%

Networking

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2030489 ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response 95.181.161.40:55005 -> 192.168.2.23:47080
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:38814 -> 220.83.107.132:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 220.83.107.132:23 -> 192.168.2.23:38814
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 220.83.107.132:23 -> 192.168.2.23:38814
Source: Traffic	Snort IDS: 716 INFO TELNET access 175.203.37.237:23 -> 192.168.2.23:36270
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 220.83.107.132:23 -> 192.168.2.23:38842
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 220.83.107.132:23 -> 192.168.2.23:38842
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 175.203.37.237:23 -> 192.168.2.23:36270
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 175.203.37.237:23 -> 192.168.2.23:36270
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 220.83.107.132:23 -> 192.168.2.23:38882
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 220.83.107.132:23 -> 192.168.2.23:38882
Source: Traffic	Snort IDS: 716 INFO TELNET access 175.203.37.237:23 -> 192.168.2.23:36320
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 175.203.37.237:23 -> 192.168.2.23:36320
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 175.203.37.237:23 -> 192.168.2.23:36320
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 220.83.107.132:23 -> 192.168.2.23:38892
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 220.83.107.132:23 -> 192.168.2.23:38892
Source: Traffic	Snort IDS: 716 INFO TELNET access 211.119.241.133:23 -> 192.168.2.23:56018
Source: Traffic	Snort IDS: 716 INFO TELNET access 200.182.98.209:23 -> 192.168.2.23:47332
Source: Traffic	Snort IDS: 716 INFO TELNET access 14.33.224.31:23 -> 192.168.2.23:43120
Source: Traffic	Snort IDS: 716 INFO TELNET access 175.203.37.237:23 -> 192.168.2.23:36334
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 200.182.98.209:23 -> 192.168.2.23:47332
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 220.83.107.132:23 -> 192.168.2.23:38900
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 220.83.107.132:23 -> 192.168.2.23:38900
Source: Traffic	Snort IDS: 716 INFO TELNET access 200.182.98.209:23 -> 192.168.2.23:47342
Source: Traffic	Snort IDS: 716 INFO TELNET access 14.33.224.31:23 -> 192.168.2.23:43128
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 175.203.37.237:23 -> 192.168.2.23:36334
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 175.203.37.237:23 -> 192.168.2.23:36334
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 200.182.98.209:23 -> 192.168.2.23:47342
Source: Traffic	Snort IDS: 716 INFO TELNET access 14.33.224.31:23 -> 192.168.2.23:43130
Source: Traffic	Snort IDS: 716 INFO TELNET access 200.182.98.209:23 -> 192.168.2.23:47352
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:47352 -> 200.182.98.209:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 175.203.37.237:23 -> 192.168.2.23:36352
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:36352 -> 175.203.37.237:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 14.33.224.31:23 -> 192.168.2.23:43150
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 200.182.98.209:23 -> 192.168.2.23:47352
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 220.83.107.132:23 -> 192.168.2.23:38914
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 220.83.107.132:23 -> 192.168.2.23:38914
Source: Traffic	Snort IDS: 716 INFO TELNET access 200.182.98.209:23 -> 192.168.2.23:47382
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 175.203.37.237:23 -> 192.168.2.23:36352
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 175.203.37.237:23 -> 192.168.2.23:36352
Source: Traffic	Snort IDS: 716 INFO TELNET access 14.33.224.31:23 -> 192.168.2.23:43168
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 200.182.98.209:23 -> 192.168.2.23:47382
Source: Traffic	Snort IDS: 716 INFO TELNET access 14.33.224.31:23 -> 192.168.2.23:43182
Source: Traffic	Snort IDS: 716 INFO TELNET access 200.182.98.209:23 -> 192.168.2.23:47402
Source: Traffic	Snort IDS: 716 INFO TELNET access 211.119.241.133:23 -> 192.168.2.23:56092
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:47402 -> 200.182.98.209:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 175.203.37.237:23 -> 192.168.2.23:36404
Source: Traffic	Snort IDS: 716 INFO TELNET access 14.33.224.31:23 -> 192.168.2.23:43194
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 200.182.98.209:23 -> 192.168.2.23:47402
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 220.83.107.132:23 -> 192.168.2.23:38966
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 220.83.107.132:23 -> 192.168.2.23:38966
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 175.203.37.237:23 -> 192.168.2.23:36404
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 175.203.37.237:23 -> 192.168.2.23:36404
Source: Traffic	Snort IDS: 716 INFO TELNET access 14.33.224.31:23 -> 192.168.2.23:43196
Source: Traffic	Snort IDS: 716 INFO TELNET access 200.182.98.209:23 -> 192.168.2.23:47414
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 200.182.98.209:23 -> 192.168.2.23:47414
Source: Traffic	Snort IDS: 716 INFO TELNET access 14.33.224.31:23 -> 192.168.2.23:43204
Source: Traffic	Snort IDS: 716 INFO TELNET access 200.182.98.209:23 -> 192.168.2.23:47424
Source: Traffic	Snort IDS: 716 INFO TELNET access 175.203.37.237:23 -> 192.168.2.23:36422
Source: Traffic	Snort IDS: 716 INFO TELNET access 14.33.224.31:23 -> 192.168.2.23:43214
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 220.83.107.132:23 -> 192.168.2.23:38988
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 220.83.107.132:23 -> 192.168.2.23:38988
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 200.182.98.209:23 -> 192.168.2.23:47424
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 175.203.37.237:23 -> 192.168.2.23:36422
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 175.203.37.237:23 -> 192.168.2.23:36422
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:57684 -> 171.103.146.187:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 200.182.98.209:23 -> 192.168.2.23:47458
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:47458 -> 200.182.98.209:23
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 200.182.98.209:23 -> 192.168.2.23:47458
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:39034 -> 220.83.107.132:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 200.182.98.209:23 -> 192.168.2.23:47476
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:37442 -> 188.170.132.248:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 220.83.107.132:23 -> 192.168.2.23:39034
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 220.83.107.132:23 -> 192.168.2.23:39034
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 200.182.98.209:23 -> 192.168.2.23:47476
Source: Traffic	Snort IDS: 716 INFO TELNET access 211.119.241.133:23 -> 192.168.2.23:56176
Source: Traffic	Snort IDS: 716 INFO TELNET access 200.182.98.209:23 -> 192.168.2.23:47500
Source: Traffic	Snort IDS: 716 INFO TELNET access 175.203.37.237:23 -> 192.168.2.23:36526
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 200.182.98.209:23 -> 192.168.2.23:47500
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:36526 -> 175.203.37.237:23

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 119.202.14.199:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 110.66.24.210:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 212.75.120.245:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 195.199.169.97:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 134.186.6.145:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 108.217.29.81:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 73.131.122.187:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 129.244.223.61:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 72.96.34.184:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 66.75.206.83:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 209.227.67.56:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 189.250.33.177:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 89.76.23.231:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 164.209.153.188:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 188.36.29.232:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 94.227.101.144:2323
Source: global traffic	TCP traffic: 192.168.2.23:47080 -> 95.181.161.40:55005
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 13.149.76.24:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 175.209.167.191:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 58.31.160.53:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 14.76.176.203:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 165.2.254.41:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 157.204.78.173:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 132.202.223.186:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 212.97.166.177:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 126.34.6.61:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 211.203.6.56:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 213.211.68.221:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 211.124.62.148:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 58.196.208.154:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 88.106.34.40:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 41.48.30.55:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 180.202.194.106:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 147.13.67.111:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 78.83.175.148:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 169.68.115.128:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 128.167.53.10:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 61.211.97.49:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 43.88.176.97:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 53.224.170.145:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 8.22.246.96:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 37.223.36.130:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 98.86.114.50:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 161.240.122.163:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 98.246.2.248:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 116.159.170.153:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 35.114.7.220:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 136.206.119.139:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 20.64.64.198:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 186.95.83.155:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 19.200.124.246:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 50.32.235.243:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 19.216.22.91:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 222.32.132.103:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 73.49.183.128:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 193.222.148.245:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 207.114.19.59:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 79.159.64.234:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 222.217.248.94:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 115.232.226.51:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 25.153.217.202:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 36.59.244.131:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 93.49.241.53:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 100.197.93.137:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 147.163.82.69:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 170.241.229.156:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 41.210.85.93:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 109.48.158.14:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 76.237.210.224:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 198.237.107.242:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 98.232.40.90:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 205.61.9.169:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 23.46.163.17:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 134.188.245.96:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 44.177.140.110:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 222.148.51.62:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 129.111.218.23:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 128.118.247.172:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 191.252.2.246:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 75.101.231.39:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 221.215.5.223:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 92.54.199.220:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 195.27.43.191:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 39.194.241.65:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 73.29.27.148:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 114.228.180.159:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 98.99.113.184:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 42.25.145.30:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 130.221.223.11:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 202.22.74.246:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 199.252.94.69:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 71.127.250.103:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 36.92.140.192:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 19.84.98.233:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 32.255.200.203:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 195.66.254.12:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 197.0.65.116:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 59.127.160.246:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 34.77.15.214:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 45.86.122.221:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 151.100.99.150:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 159.4.46.109:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 39.35.154.251:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 142.100.7.210:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 202.7.91.161:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 63.12.237.4:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 52.91.245.109:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 135.46.116.225:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 217.8.176.203:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 68.147.36.5:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 211.87.41.238:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 129.208.231.18:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 201.50.185.101:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 193.174.6.233:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 100.203.177.63:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 34.228.253.178:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 50.244.191.246:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 8.136.129.164:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 17.51.153.128:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 143.42.72.88:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 202.41.76.86:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 36.96.122.33:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 197.91.164.175:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 25.149.5.16:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 135.108.113.12:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 76.241.188.13:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 62.32.77.180:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 81.175.67.43:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 8.8.215.243:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 90.110.71.141:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 176.84.177.235:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 2.114.253.9:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 39.154.169.19:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 209.206.157.246:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 153.68.49.73:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 163.218.53.125:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 17.185.139.244:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 186.24.162.3:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 137.74.187.88:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 80.103.45.199:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 166.81.131.214:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 143.24.39.35:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 89.140.112.124:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 184.214.3.97:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 115.248.43.218:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 128.130.224.206:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 145.227.0.143:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 32.150.1.226:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 216.254.216.72:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 104.233.227.181:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 183.124.54.111:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 86.28.109.24:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 102.55.168.120:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 125.217.153.52:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 39.12.250.103:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 173.96.7.213:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 135.184.53.54:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 199.131.178.254:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 131.216.75.1:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 99.99.202.68:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 75.12.162.149:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 123.125.89.196:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 162.53.119.1:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 196.9.198.232:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 162.6.235.241:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 184.167.49.255:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 106.98.188.167:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 120.169.16.154:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 46.225.233.40:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 205.1.99.213:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 170.136.31.35:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 167.211.254.114:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 204.145.223.240:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 197.202.44.40:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 216.24.39.152:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 45.199.163.13:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 165.172.14.121:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 168.194.202.59:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 201.45.234.68:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 150.114.169.99:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 69.76.92.207:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 79.110.3.42:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 4.146.235.171:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 213.15.191.233:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 149.205.212.200:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 195.214.8.4:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 88.140.173.153:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 199.144.137.196:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 63.108.150.4:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 125.235.197.27:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 24.73.253.125:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 202.171.29.139:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 113.241.119.42:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 74.255.95.75:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 200.223.159.55:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 147.74.19.61:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 76.51.81.9:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 93.102.25.204:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 156.161.71.71:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 206.206.164.88:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 121.32.93.5:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 138.160.154.208:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 120.28.128.236:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 174.251.233.13:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 210.4.233.229:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 129.209.103.27:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 129.84.88.65:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 42.113.163.3:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 152.253.215.216:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 162.138.45.210:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 53.168.12.59:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 96.179.192.179:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 2.39.74.136:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 179.62.235.163:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 134.179.209.84:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 72.214.57.27:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 166.210.139.76:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 58.109.89.211:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 77.198.88.98:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 88.204.139.162:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 221.191.103.52:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 102.47.172.169:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 52.40.179.84:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 72.49.202.31:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 61.53.84.82:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 139.27.146.243:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 160.232.75.138:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 117.35.61.205:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 81.65.236.75:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 2.60.204.242:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 110.83.219.221:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 114.221.33.249:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 65.228.166.73:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 179.250.207.208:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 216.31.152.66:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 112.15.62.246:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 70.0.181.78:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 98.66.224.239:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 40.11.30.98:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 145.156.191.255:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 156.151.143.86:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 105.255.210.87:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 146.122.186.66:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 80.55.227.138:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 113.255.132.240:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 167.202.147.189:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 208.175.165.242:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 31.213.146.166:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 9.235.234.111:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 143.197.102.250:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 18.97.233.43:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 152.13.28.142:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 58.124.17.254:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 114.104.63.231:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 61.24.112.44:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 87.184.68.164:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 177.84.90.19:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 120.138.80.49:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 12.46.252.87:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 111.217.103.154:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 20.240.163.8:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 97.54.78.215:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 125.145.52.140:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 76.95.232.230:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 133.47.162.247:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 187.204.146.97:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 17.78.154.155:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 81.133.87.154:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 171.212.38.252:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 109.172.90.224:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 147.61.203.27:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 185.127.179.254:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 169.201.222.184:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 71.230.137.240:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 201.185.254.204:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 126.230.63.14:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 113.55.28.64:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 116.240.70.34:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 213.127.162.76:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 182.226.119.134:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 185.152.77.247:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 155.199.42.160:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 64.124.139.105:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 51.2.54.197:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 126.36.228.181:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 60.186.132.119:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 1.14.3.132:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 167.187.44.242:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 126.60.68.75:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 42.235.205.60:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 32.104.61.89:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 218.214.128.88:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 85.55.143.205:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 139.201.178.12:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 129.228.140.121:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 209.141.126.252:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 35.163.10.71:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 58.20.169.118:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 13.190.96.48:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 96.148.44.18:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 208.215.19.225:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 135.225.121.9:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 152.106.121.221:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 48.116.220.12:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 75.86.161.139:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 39.75.47.22:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 143.148.45.177:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 181.136.144.133:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 46.182.216.39:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 53.18.230.36:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 80.207.98.190:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 65.200.114.61:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 193.229.250.66:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 163.199.143.14:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 62.107.187.221:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 101.178.200.183:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 147.50.137.104:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 54.188.63.251:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 170.25.80.243:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 43.151.160.54:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 158.198.254.58:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 76.62.241.126:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 163.235.151.167:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 133.205.63.98:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 62.35.78.129:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 139.1.209.168:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 152.209.217.51:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 173.5.133.247:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 116.192.166.208:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 38.165.107.100:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 217.52.73.189:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 42.184.77.144:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 167.103.128.210:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 170.249.192.191:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 78.28.57.24:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 157.222.44.234:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 181.210.228.126:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 209.235.49.209:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 118.110.249.86:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 209.61.61.141:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 49.24.166.167:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 63.212.235.58:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 158.76.153.177:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 76.226.124.47:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 85.157.123.174:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 218.191.27.223:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 128.32.4.134:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 120.237.215.141:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 198.115.32.221:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 166.184.109.59:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 200.5.249.225:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 116.127.177.68:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 37.120.238.8:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 20.73.40.162:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 149.74.47.246:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 17.67.37.246:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 221.63.178.245:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 207.130.32.169:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 23.162.198.61:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 170.152.156.155:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 112.84.150.15:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 8.167.74.147:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 136.181.198.156:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 203.254.50.110:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 58.64.120.248:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 148.99.115.238:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 190.157.99.148:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 57.26.251.43:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 102.227.12.2:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 201.7.115.0:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 52.137.139.221:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 167.111.214.45:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 105.124.209.35:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 186.133.211.183:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 216.50.253.13:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 110.10.57.114:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 109.29.162.241:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 101.18.227.141:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 97.245.151.65:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 47.4.208.36:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 168.41.175.133:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 101.123.60.31:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 118.42.150.4:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 146.126.72.100:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 2.25.193.237:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 126.203.51.174:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 49.159.251.232:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 102.0.233.154:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 130.250.72.106:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 171.14.159.84:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 50.144.143.82:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 54.93.42.34:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 67.165.172.189:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 69.85.15.151:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 220.8.50.154:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 115.168.49.149:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 51.84.199.184:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 12.177.238.163:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 100.22.3.120:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 149.242.36.140:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 19.198.165.79:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 123.50.69.129:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 106.240.91.50:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 88.83.4.213:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 121.157.215.68:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 20.74.19.221:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 161.191.221.85:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 24.106.103.61:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 175.49.54.203:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 79.99.7.92:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 97.110.177.105:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 209.45.55.251:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 23.159.95.127:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 183.139.191.115:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 75.120.117.166:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 140.195.124.12:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 154.118.228.22:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 38.161.104.88:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 17.104.192.48:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 111.49.125.63:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 184.171.37.129:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 180.194.87.159:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 207.228.127.83:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 207.144.62.232:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 14.33.244.118:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 105.38.79.228:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 92.50.58.130:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 129.98.120.3:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 132.87.10.142:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 203.229.114.65:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 78.167.123.17:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 72.151.7.245:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 163.165.91.211:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 117.237.140.100:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 18.37.136.49:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 50.164.39.217:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 212.140.112.111:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 152.108.49.61:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 144.112.44.132:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 94.169.16.215:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 32.206.7.247:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 35.219.208.165:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 93.200.186.8:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 178.148.193.173:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 183.228.146.200:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 99.204.46.215:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 197.166.65.120:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 159.68.225.175:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 84.225.172.88:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 24.213.54.88:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 54.23.141.240:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 102.79.182.253:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 41.78.9.43:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 60.249.108.245:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 84.170.106.249:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 5.217.168.70:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 116.202.0.155:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 126.149.82.51:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 182.83.122.159:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 40.65.120.94:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 168.216.81.181:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 74.202.4.52:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 91.36.141.220:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 153.11.43.10:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 9.179.51.161:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 100.219.204.50:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 206.193.72.71:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 153.247.68.182:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 135.138.178.31:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 162.49.220.215:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 50.17.254.9:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 162.53.213.20:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 118.30.186.5:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 40.106.23.243:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 138.108.12.27:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 164.131.63.12:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 108.105.127.44:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 46.238.220.28:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 46.79.9.173:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 178.183.212.231:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 13.1.141.137:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 147.145.143.234:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 134.222.141.248:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 193.93.241.153:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 120.27.161.188:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 168.72.132.90:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 167.221.90.53:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 92.168.207.204:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 107.12.58.12:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 217.88.61.52:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 96.64.84.154:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 136.224.8.246:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 200.226.96.224:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 66.183.29.82:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 58.163.63.67:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 74.115.57.106:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 147.175.110.252:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 71.75.220.156:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 223.22.144.31:2323
Source: global traffic	TCP traffic: 192.168.2.23:20991 -> 43.160.204.3:2323

Source: /tmp/arm (PID: 5201)

Socket: 127.0.0.1::1124

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 119.202.14.199
Source: unknown	TCP traffic detected without corresponding DNS query: 62.89.61.199
Source: unknown	TCP traffic detected without corresponding DNS query: 68.208.84.130
Source: unknown	TCP traffic detected without corresponding DNS query: 12.238.185.199
Source: unknown	TCP traffic detected without corresponding DNS query: 87.238.206.23
Source: unknown	TCP traffic detected without corresponding DNS query: 159.12.107.37
Source: unknown	TCP traffic detected without corresponding DNS query: 126.42.164.2
Source: unknown	TCP traffic detected without corresponding DNS query: 176.100.194.58
Source: unknown	TCP traffic detected without corresponding DNS query: 173.96.128.32
Source: unknown	TCP traffic detected without corresponding DNS query: 121.149.181.139
Source: unknown	TCP traffic detected without corresponding DNS query: 176.146.86.12
Source: unknown	TCP traffic detected without corresponding DNS query: 18.170.35.44
Source: unknown	TCP traffic detected without corresponding DNS query: 203.255.163.57
Source: unknown	TCP traffic detected without corresponding DNS query: 91.54.14.130
Source: unknown	TCP traffic detected without corresponding DNS query: 196.174.115.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.154.86.190
Source: unknown	TCP traffic detected without corresponding DNS query: 173.198.105.71
Source: unknown	TCP traffic detected without corresponding DNS query: 34.170.119.206
Source: unknown	TCP traffic detected without corresponding DNS query: 77.200.62.159
Source: unknown	TCP traffic detected without corresponding DNS query: 212.75.120.245
Source: unknown	TCP traffic detected without corresponding DNS query: 118.145.141.83
Source: unknown	TCP traffic detected without corresponding DNS query: 80.223.101.140
Source: unknown	TCP traffic detected without corresponding DNS query: 195.35.106.75
Source: unknown	TCP traffic detected without corresponding DNS query: 168.177.16.242
Source: unknown	TCP traffic detected without corresponding DNS query: 41.26.145.4
Source: unknown	TCP traffic detected without corresponding DNS query: 52.234.120.116
Source: unknown	TCP traffic detected without corresponding DNS query: 192.234.176.72
Source: unknown	TCP traffic detected without corresponding DNS query: 69.236.216.77
Source: unknown	TCP traffic detected without corresponding DNS query: 79.50.197.220
Source: unknown	TCP traffic detected without corresponding DNS query: 195.199.169.97
Source: unknown	TCP traffic detected without corresponding DNS query: 53.253.39.1
Source: unknown	TCP traffic detected without corresponding DNS query: 185.170.170.211
Source: unknown	TCP traffic detected without corresponding DNS query: 2.206.71.1
Source: unknown	TCP traffic detected without corresponding DNS query: 35.60.42.186
Source: unknown	TCP traffic detected without corresponding DNS query: 159.174.14.108
Source: unknown	TCP traffic detected without corresponding DNS query: 65.134.223.36
Source: unknown	TCP traffic detected without corresponding DNS query: 17.95.60.243
Source: unknown	TCP traffic detected without corresponding DNS query: 179.41.227.194
Source: unknown	TCP traffic detected without corresponding DNS query: 216.9.117.128
Source: unknown	TCP traffic detected without corresponding DNS query: 134.186.6.145
Source: unknown	TCP traffic detected without corresponding DNS query: 105.74.198.70
Source: unknown	TCP traffic detected without corresponding DNS query: 89.147.57.147
Source: unknown	TCP traffic detected without corresponding DNS query: 59.170.70.45
Source: unknown	TCP traffic detected without corresponding DNS query: 121.211.51.162
Source: unknown	TCP traffic detected without corresponding DNS query: 154.19.175.84
Source: unknown	TCP traffic detected without corresponding DNS query: 108.217.29.81
Source: unknown	TCP traffic detected without corresponding DNS query: 176.34.100.103
Source: unknown	TCP traffic detected without corresponding DNS query: 199.45.164.180
Source: unknown	TCP traffic detected without corresponding DNS query: 12.13.158.41
Source: unknown	TCP traffic detected without corresponding DNS query: 179.92.96.232

Source: unknown

DNS traffic detected: queries for: arcticboatz.cz

System Summary

Malicious sample detected (through community Yara rule)

Source: arm, type: SAMPLE	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: arm, type: SAMPLE	Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 5201.1.000000002e6ad643.0000000062dfdce7.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5201.1.000000002e6ad643.0000000062dfdce7.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth

Source: arm, type: SAMPLE	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: arm, type: SAMPLE	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 5201.1.000000002e6ad643.0000000062dfdce7.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5201.1.000000002e6ad643.0000000062dfdce7.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research

Source: ELF static info symbol of initial sample

.symtab present: no

Source: Initial sample	String containing 'busybox' found: bin/busybox
Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: f%s:%dwebservarm7x86_64ppcm68kbin/busyboxbin/watchdogbin/systemd/bin/busybox/bin/watchdog/bin/systemd\

Source: classification engine

Classification label: mal100.troj.lin@0/0@1/0

Persistence and Installation Behavior

Sets full permissions to files and/or directories

Source: /bin/sh (PID: 5228)

Chmod executable with 777: /usr/bin/chmod -> chmod 777 bin/systemd

Source: /bin/sh (PID: 5226)

Mkdir executable: /usr/bin/mkdir -> mkdir bin

Source: /bin/sh (PID: 5228)

Chmod executable: /usr/bin/chmod -> chmod 777 bin/systemd

Source: /usr/bin/chmod (PID: 5228)

File: /tmp/bin/systemd (bits: - usr: rwx grp: rwx all: rwx)

Jump to behavior

Source: /tmp/arm (PID: 5223)

Shell command executed: sh -c "rm -rf bin/systemd && mkdir bin; >bin/systemd && mv /tmp/arm bin/systemd; chmod 777 bin/systemd"

Source: /bin/sh (PID: 5225)

Rm executable: /usr/bin/rm -> rm -rf bin/systemd

Source: /tmp/arm (PID: 5201)

Queries kernel information via 'uname':

Source: arm, 5201.1.00000000b2f7bc77.000000009a69674a.rw-.sdmp	Binary or memory string: `kU!/etc/qemu-binfmt/arm
Source: arm, 5201.1.0000000039e6831f.00000000db2ee247.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/armSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/arm
Source: arm, 5201.1.00000000b2f7bc77.000000009a69674a.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: arm, 5201.1.0000000039e6831f.00000000db2ee247.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: arm, type: SAMPLE
Source: Yara match	File source: 5201.1.000000002e6ad643.0000000062dfdce7.r-x.sdmp, type: MEMORY

Yara detected Moobot

Source: Yara match	File source: arm, type: SAMPLE
Source: Yara match	File source: 5201.1.000000002e6ad643.0000000062dfdce7.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: arm PID: 5201, type: MEMORYSTR

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: arm, type: SAMPLE
Source: Yara match	File source: 5201.1.000000002e6ad643.0000000062dfdce7.r-x.sdmp, type: MEMORY

Yara detected Moobot

Source: Yara match	File source: arm, type: SAMPLE
Source: Yara match	File source: 5201.1.000000002e6ad643.0000000062dfdce7.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: arm PID: 5201, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scripting	Path Interception	Path Interception	2 File and Directory Permissions Modification	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Scripting	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 File Deletion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
arm	39%	Virustotal		Browse
arm	50%	ReversingLabs	Linux.Trojan.Mirai
arm	100%	Avira	LINUX/Mirai.bonb

Dropped Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
arcticboatz.cz	4%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
arcticboatz.cz	95.181.161.40	true	true	4%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
90.21.87.76	unknown	France	3215	FranceTelecom-OrangeFR	false
39.70.211.12	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
191.151.188.107	unknown	Colombia	26611	COMCELSACO	false
158.248.198.227	unknown	Norway	29695	ALTIBOX_ASNorwayNO	false
152.55.146.223	unknown	United States	81	NCRENUS	false
72.235.23.15	unknown	United States	36149	HAWAIIAN-TELCOMUS	false
97.39.187.32	unknown	United States	6167	CELLCO-PARTUS	false
153.247.68.182	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
80.208.170.47	unknown	Switzerland	15600	FINECOMQuicklineAGCH	false
181.126.230.132	unknown	Paraguay	23201	TelecelSAPY	false
74.169.133.116	unknown	United States	7018	ATT-INTERNET4US	false
82.117.30.106	unknown	Liechtenstein	35223	HOI-ASLI	false
88.253.17.216	unknown	Turkey	9121	TTNETTR	false
187.95.178.164	unknown	Brazil	53090	VianetTelecomunicacoeseInternetBR	false
138.142.32.215	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
58.210.29.106	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
46.138.231.194	unknown	Russian Federation	25513	ASN-MGTS-USPDRU	false
91.53.126.192	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
23.49.42.170	unknown	United States	16625	AKAMAI-ASUS	false
200.179.36.152	unknown	Brazil	4230	CLAROSABR	false
80.166.163.211	unknown	Denmark	3292	TDCTDCASDK	false
133.150.17.100	unknown	Japan	10021	KVHKVHCoLtdJP	false
176.224.147.61	unknown	Saudi Arabia	35819	MOBILY-ASEtihadEtisalatCompanyMobilySA	false
1.69.204.55	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
216.37.77.119	unknown	United States	21922	WEBNETUS	false
217.129.155.32	unknown	Portugal	13156	AS13156PalmelaPT	false
163.218.53.125	unknown	Japan	7502	IP-KYOTOAdvancedSoftwareTechnologyManagementResearch	false
141.21.45.141	unknown	Germany	205046	FZI-AS-1DE	false
173.112.71.235	unknown	United States	10507	SPCSUS	false
4.105.216.207	unknown	United States	3356	LEVEL3US	false
165.52.21.238	unknown	South Africa	37053	RSAWEB-ASZA	false
190.125.166.121	unknown	Colombia	26611	COMCELSACO	false
162.107.199.176	unknown	United States	17162	DONALDSONUS	false
191.223.166.113	unknown	Brazil	8167	BrasilTelecomSA-FilialDistritoFederalBR	false
81.133.225.89	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	false
114.23.5.71	unknown	New Zealand	56030	VOYAGERNET-AS-APVoyagerInternetLtdNZ	false
111.17.173.192	unknown	China	24444	CMNET-V4SHANDONG-AS-APShandongMobileCommunicationCompany	false
136.161.34.86	unknown	United States	174	COGENT-174US	false
45.83.121.194	unknown	Netherlands	200313	INTERNET-ITNL	false
153.193.162.150	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
1.104.172.183	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
200.151.155.13	unknown	Brazil	7738	TelemarNorteLesteSABR	false
213.36.152.232	unknown	France	12322	PROXADFR	false
61.15.226.39	unknown	Hong Kong	9908	HKCABLE2-HK-APHKCableTVLtdHK	false
61.185.7.40	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
190.145.21.183	unknown	Colombia	14080	TelmexColombiaSACO	false
201.176.134.4	unknown	Argentina	22927	TelefonicadeArgentinaAR	false
125.82.123.197	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
74.33.205.71	unknown	United States	7011	FRONTIER-AND-CITIZENSUS	false
132.97.141.117	unknown	United States	306	DNIC-ASBLK-00306-00371US	false
154.197.40.201	unknown	Seychelles	137443	ANCHGLOBAL-AS-APAnchnetAsiaLimitedHK	false
151.141.190.160	unknown	United States	29842	ETSU-NETUS	false
59.65.228.14	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false
99.105.83.245	unknown	United States	7018	ATT-INTERNET4US	false
152.250.150.236	unknown	Brazil	27699	TELEFONICABRASILSABR	false
27.201.102.121	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
189.71.43.234	unknown	Brazil	7738	TelemarNorteLesteSABR	false
136.109.100.212	unknown	United States	60311	ONEFMCH	false
82.45.153.218	unknown	United Kingdom	5089	NTLGB	false
144.67.166.155	unknown	United States	3243	MEO-RESIDENCIALPT	false
207.34.108.176	unknown	Canada	15247	RADIANT-VANCOUVERCA	false
191.49.3.3	unknown	Brazil	26615	TIMSABR	false
40.99.144.217	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
86.7.59.119	unknown	United Kingdom	5089	NTLGB	false
12.47.81.13	unknown	United States	7018	ATT-INTERNET4US	false
200.45.30.120	unknown	Argentina	7303	TelecomArgentinaSAAR	false
48.171.205.123	unknown	United States	2686	ATGS-MMD-ASUS	false
34.205.37.162	unknown	United States	14618	AMAZON-AESUS	false
61.17.124.120	unknown	India	17908	TCISLTataCommunicationsIN	false
4.19.212.157	unknown	United States	3356	LEVEL3US	false
190.227.23.147	unknown	Argentina	7303	TelecomArgentinaSAAR	false
60.0.108.189	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
153.12.215.116	unknown	United States	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
54.17.208.21	unknown	United States	14618	AMAZON-AESUS	false
84.208.212.180	unknown	Norway	41164	GET-NOGETNorwayNO	false
117.54.211.86	unknown	Indonesia	9340	INDONET-AS-APINDOInternetPTID	false
135.71.50.102	unknown	United States	18676	AVAYAUS	false
152.241.175.204	unknown	Brazil	26599	TELEFONICABRASILSABR	false
212.189.180.251	unknown	Italy	137	ASGARRConsortiumGARREU	false
158.178.182.15	unknown	United Kingdom	15830	EQUINIX-CONNECT-EMEAGB	false
173.28.235.234	unknown	United States	30036	MEDIACOM-ENTERPRISE-BUSINESSUS	false
9.179.51.161	unknown	United States	3356	LEVEL3US	false
151.250.30.253	unknown	Turkey	34984	TELLCOM-ASTR	false
98.144.53.110	unknown	United States	10796	TWC-10796-MIDWESTUS	false
134.235.160.137	unknown	United States	1586	DNIC-ASBLK-01550-01601US	false
42.55.187.255	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
78.144.25.71	unknown	United Kingdom	13285	OPALTELECOM-ASTalkTalkCommunicationsLimitedGB	false
126.117.92.254	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
37.20.211.92	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false
148.184.114.2	unknown	United States	3423	ATTIS-ASN3423US	false
201.222.187.82	unknown	Chile	7418	TELEFONICACHILESACL	false
223.37.56.169	unknown	Korea Republic of	9644	SKTELECOM-NET-ASSKTelecomKR	false
209.58.18.6	unknown	United States	6453	AS6453US	false
44.138.49.166	unknown	United States	7377	UCSDUS	false
64.196.203.67	unknown	United States	7029	WINDSTREAMUS	false
143.201.46.60	unknown	unknown	3128	BRUWS-AS3128US	false
151.171.248.30	unknown	United States	3257	GTT-BACKBONEGTTDE	false
76.168.35.52	unknown	United States	20001	TWC-20001-PACWESTUS	false
19.255.230.120	unknown	United States	3	MIT-GATEWAYSUS	false
65.56.241.202	unknown	United States	3356	LEVEL3US	false

File type:	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
Entropy (8bit):	6.105130846651577
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	arm
File size:	83264
MD5:	c8eac6c41bd5f6ec5a65524142f340e0
SHA1:	ae41cee628bdacfe7dd71dd1e4ab90e71a9d0a86
SHA256:	b916d6f9d2756f35b510f1e89cf54a3601b3aafdba2a506cd9e5254e0dade88e
SHA512:	4903b1f5a4a5e87704dbdd6caff2a496ca3de1fec833cfbdfdbf566f4f3ee2eef1eb8ab1e9347eee35bdcf623bd13a70d83e2aeb3611c2bc0dd8f722375235cd
SSDEEP:	1536:0DS1KyEi7hinozX7mgbmvKbvlTuWrYn4XqbMyHFrzLv6aevo0YwbZnFA:YZi9zLmvvKuwYNoyHFTcKwbZnFA
File Content Preview:	.ELF...a..........(.........4....C......4. ...(.....................D=..D=...............@...@...@..p....&..........Q.td..................................-...L."....G..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	ARM - ABI
ABI Version:	0
Entry Point Address:	0x8190
Flags:	0x202
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	82864
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x8094	0x94	0x18	0x0	0x6	AX	4
.text	PROGBITS	0x80b0	0xb0	0x11f3c	0x0	0x6	AX	16
.fini	PROGBITS	0x19fec	0x11fec	0x14	0x0	0x6	AX	4
.rodata	PROGBITS	0x1a000	0x12000	0x1d44	0x0	0x2	A	4
.ctors	PROGBITS	0x24000	0x14000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x24008	0x14008	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x24014	0x14014	0x35c	0x0	0x3	WA	4
.bss	NOBITS	0x24370	0x14370	0x237c	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0x14370	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8000	0x8000	0x13d44	0x13d44	3.4485	0x5	R E	0x8000	.init .text .fini .rodata
LOAD	0x14000	0x24000	0x24000	0x370	0x26ec	1.6757	0x6	RW	0x8000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 21, 2022 06:01:11.455588102 CET	20991	2323	192.168.2.23	119.202.14.199
Jan 21, 2022 06:01:11.455666065 CET	20991	23	192.168.2.23	62.89.61.199
Jan 21, 2022 06:01:11.455688953 CET	20991	23	192.168.2.23	68.208.84.130
Jan 21, 2022 06:01:11.455697060 CET	20991	23	192.168.2.23	12.238.185.199
Jan 21, 2022 06:01:11.455715895 CET	20991	23	192.168.2.23	87.238.206.23
Jan 21, 2022 06:01:11.455739975 CET	20991	23	192.168.2.23	159.12.107.37
Jan 21, 2022 06:01:11.455749989 CET	20991	23	192.168.2.23	126.42.164.2
Jan 21, 2022 06:01:11.455770016 CET	20991	23	192.168.2.23	176.100.194.58
Jan 21, 2022 06:01:11.455790997 CET	20991	23	192.168.2.23	173.96.128.32
Jan 21, 2022 06:01:11.455795050 CET	20991	23	192.168.2.23	121.149.181.139
Jan 21, 2022 06:01:11.455799103 CET	20991	2323	192.168.2.23	110.66.24.210
Jan 21, 2022 06:01:11.456011057 CET	20991	23	192.168.2.23	176.146.86.12
Jan 21, 2022 06:01:11.456028938 CET	20991	23	192.168.2.23	18.170.35.44
Jan 21, 2022 06:01:11.456047058 CET	20991	23	192.168.2.23	203.255.163.57
Jan 21, 2022 06:01:11.456075907 CET	20991	23	192.168.2.23	91.54.14.130
Jan 21, 2022 06:01:11.456083059 CET	20991	23	192.168.2.23	196.174.115.72
Jan 21, 2022 06:01:11.456100941 CET	20991	23	192.168.2.23	2.154.86.190
Jan 21, 2022 06:01:11.456118107 CET	20991	23	192.168.2.23	173.198.105.71
Jan 21, 2022 06:01:11.456137896 CET	20991	23	192.168.2.23	34.170.119.206
Jan 21, 2022 06:01:11.456151009 CET	20991	23	192.168.2.23	77.200.62.159
Jan 21, 2022 06:01:11.456172943 CET	20991	2323	192.168.2.23	212.75.120.245
Jan 21, 2022 06:01:11.456177950 CET	20991	23	192.168.2.23	118.145.141.83
Jan 21, 2022 06:01:11.456199884 CET	20991	23	192.168.2.23	80.223.101.140
Jan 21, 2022 06:01:11.456222057 CET	20991	23	192.168.2.23	195.35.106.75
Jan 21, 2022 06:01:11.456228971 CET	20991	23	192.168.2.23	168.177.16.242
Jan 21, 2022 06:01:11.456273079 CET	20991	23	192.168.2.23	41.26.145.4
Jan 21, 2022 06:01:11.456284046 CET	20991	23	192.168.2.23	52.234.120.116
Jan 21, 2022 06:01:11.456288099 CET	20991	23	192.168.2.23	192.234.176.72
Jan 21, 2022 06:01:11.456293106 CET	20991	23	192.168.2.23	69.236.216.77
Jan 21, 2022 06:01:11.456315994 CET	20991	23	192.168.2.23	79.50.197.220
Jan 21, 2022 06:01:11.456325054 CET	20991	2323	192.168.2.23	195.199.169.97
Jan 21, 2022 06:01:11.456335068 CET	20991	23	192.168.2.23	53.253.39.1
Jan 21, 2022 06:01:11.456345081 CET	20991	23	192.168.2.23	185.170.170.211
Jan 21, 2022 06:01:11.456366062 CET	20991	23	192.168.2.23	2.206.71.1
Jan 21, 2022 06:01:11.456394911 CET	20991	23	192.168.2.23	35.60.42.186
Jan 21, 2022 06:01:11.456543922 CET	20991	23	192.168.2.23	159.174.14.108
Jan 21, 2022 06:01:11.456551075 CET	20991	23	192.168.2.23	65.134.223.36
Jan 21, 2022 06:01:11.456552982 CET	20991	23	192.168.2.23	17.95.60.243
Jan 21, 2022 06:01:11.456552982 CET	20991	23	192.168.2.23	179.41.227.194
Jan 21, 2022 06:01:11.456554890 CET	20991	23	192.168.2.23	216.9.117.128
Jan 21, 2022 06:01:11.456566095 CET	20991	2323	192.168.2.23	134.186.6.145
Jan 21, 2022 06:01:11.456576109 CET	20991	23	192.168.2.23	105.74.198.70
Jan 21, 2022 06:01:11.456577063 CET	20991	23	192.168.2.23	89.147.57.147
Jan 21, 2022 06:01:11.456585884 CET	20991	23	192.168.2.23	59.170.70.45
Jan 21, 2022 06:01:11.456587076 CET	20991	23	192.168.2.23	121.211.51.162
Jan 21, 2022 06:01:11.456619978 CET	20991	23	192.168.2.23	154.19.175.84
Jan 21, 2022 06:01:11.456633091 CET	20991	2323	192.168.2.23	108.217.29.81
Jan 21, 2022 06:01:11.456666946 CET	20991	23	192.168.2.23	176.34.100.103
Jan 21, 2022 06:01:11.456670046 CET	20991	23	192.168.2.23	199.45.164.180
Jan 21, 2022 06:01:11.456671000 CET	20991	23	192.168.2.23	12.13.158.41
Jan 21, 2022 06:01:11.456672907 CET	20991	23	192.168.2.23	210.93.11.223
Jan 21, 2022 06:01:11.456684113 CET	20991	23	192.168.2.23	179.92.96.232
Jan 21, 2022 06:01:11.456685066 CET	20991	23	192.168.2.23	54.110.176.154
Jan 21, 2022 06:01:11.456687927 CET	20991	23	192.168.2.23	18.167.17.213
Jan 21, 2022 06:01:11.456701994 CET	20991	23	192.168.2.23	109.146.76.49
Jan 21, 2022 06:01:11.456711054 CET	20991	23	192.168.2.23	2.236.179.167
Jan 21, 2022 06:01:11.456723928 CET	20991	23	192.168.2.23	81.87.27.47
Jan 21, 2022 06:01:11.456724882 CET	20991	23	192.168.2.23	223.78.145.74
Jan 21, 2022 06:01:11.456734896 CET	20991	23	192.168.2.23	115.8.180.203
Jan 21, 2022 06:01:11.456743956 CET	20991	23	192.168.2.23	173.191.75.43
Jan 21, 2022 06:01:11.456749916 CET	20991	2323	192.168.2.23	73.131.122.187
Jan 21, 2022 06:01:11.456806898 CET	20991	23	192.168.2.23	136.47.54.249
Jan 21, 2022 06:01:11.456809044 CET	20991	23	192.168.2.23	90.123.156.218
Jan 21, 2022 06:01:11.456809998 CET	20991	23	192.168.2.23	152.7.148.235
Jan 21, 2022 06:01:11.456821918 CET	20991	23	192.168.2.23	8.189.36.140
Jan 21, 2022 06:01:11.456837893 CET	20991	23	192.168.2.23	132.246.187.244
Jan 21, 2022 06:01:11.456837893 CET	20991	23	192.168.2.23	151.243.130.45
Jan 21, 2022 06:01:11.456837893 CET	20991	23	192.168.2.23	36.35.170.173
Jan 21, 2022 06:01:11.456841946 CET	20991	23	192.168.2.23	93.95.148.164
Jan 21, 2022 06:01:11.456851959 CET	20991	2323	192.168.2.23	129.244.223.61
Jan 21, 2022 06:01:11.456852913 CET	20991	23	192.168.2.23	9.41.200.188
Jan 21, 2022 06:01:11.456861973 CET	20991	23	192.168.2.23	156.32.171.48
Jan 21, 2022 06:01:11.456865072 CET	20991	23	192.168.2.23	114.146.119.112
Jan 21, 2022 06:01:11.456887007 CET	20991	23	192.168.2.23	165.78.222.98
Jan 21, 2022 06:01:11.456906080 CET	20991	23	192.168.2.23	114.215.224.108
Jan 21, 2022 06:01:11.456923962 CET	20991	23	192.168.2.23	129.239.13.54
Jan 21, 2022 06:01:11.456931114 CET	20991	23	192.168.2.23	114.242.61.189
Jan 21, 2022 06:01:11.456954002 CET	20991	23	192.168.2.23	116.242.128.243
Jan 21, 2022 06:01:11.456976891 CET	20991	23	192.168.2.23	5.69.101.17
Jan 21, 2022 06:01:11.456993103 CET	20991	23	192.168.2.23	20.114.73.12
Jan 21, 2022 06:01:11.457005978 CET	20991	2323	192.168.2.23	72.96.34.184
Jan 21, 2022 06:01:11.457037926 CET	20991	23	192.168.2.23	149.161.250.118
Jan 21, 2022 06:01:11.457050085 CET	20991	23	192.168.2.23	137.115.134.252
Jan 21, 2022 06:01:11.457067013 CET	20991	23	192.168.2.23	188.221.192.75
Jan 21, 2022 06:01:11.457075119 CET	20991	23	192.168.2.23	104.147.193.249
Jan 21, 2022 06:01:11.457098961 CET	20991	23	192.168.2.23	120.118.97.8
Jan 21, 2022 06:01:11.457115889 CET	20991	23	192.168.2.23	109.48.199.39
Jan 21, 2022 06:01:11.457129955 CET	20991	23	192.168.2.23	121.16.233.156
Jan 21, 2022 06:01:11.457138062 CET	20991	23	192.168.2.23	205.77.176.157
Jan 21, 2022 06:01:11.457174063 CET	20991	23	192.168.2.23	178.128.181.157
Jan 21, 2022 06:01:11.457175016 CET	20991	2323	192.168.2.23	66.75.206.83
Jan 21, 2022 06:01:11.457176924 CET	20991	23	192.168.2.23	80.17.80.21
Jan 21, 2022 06:01:11.457191944 CET	20991	23	192.168.2.23	169.149.141.114
Jan 21, 2022 06:01:11.457196951 CET	20991	23	192.168.2.23	198.12.214.141
Jan 21, 2022 06:01:11.457202911 CET	20991	23	192.168.2.23	170.129.135.235
Jan 21, 2022 06:01:11.457222939 CET	20991	23	192.168.2.23	197.39.12.215
Jan 21, 2022 06:01:11.457227945 CET	20991	23	192.168.2.23	128.122.40.2
Jan 21, 2022 06:01:11.457240105 CET	20991	23	192.168.2.23	118.69.97.134
Jan 21, 2022 06:01:11.457243919 CET	20991	23	192.168.2.23	200.174.208.43
Jan 21, 2022 06:01:11.457243919 CET	20991	23	192.168.2.23	175.77.82.47

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 21, 2022 06:01:11.452682972 CET	192.168.2.23	8.8.8.8	0xd01c	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 21, 2022 06:01:11.471282959 CET	8.8.8.8	192.168.2.23	0xd01c	No error (0)	arcticboatz.cz		95.181.161.40	A (IP address)	IN (0x0001)

System Behavior

Analysis Process: arm PID: 5201, Parent PID: 5115

General

Start time:	06:01:10
Start date:	21/01/2022
Path:	/tmp/arm
Arguments:	/tmp/arm
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: arm PID: 5223, Parent PID: 5201

General

Start time:	06:01:10
Start date:	21/01/2022
Path:	/tmp/arm
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: sh PID: 5223, Parent PID: 5201

General

Start time:	06:01:10
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	sh -c "rm -rf bin/systemd && mkdir bin; >bin/systemd && mv /tmp/arm bin/systemd; chmod 777 bin/systemd"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 5225, Parent PID: 5223

General

Start time:	06:01:10
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: rm PID: 5225, Parent PID: 5223

General

Start time:	06:01:10
Start date:	21/01/2022
Path:	/usr/bin/rm
Arguments:	rm -rf bin/systemd
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Analysis Process: sh PID: 5226, Parent PID: 5223

General

Start time:	06:01:10
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: mkdir PID: 5226, Parent PID: 5223

General

Start time:	06:01:10
Start date:	21/01/2022
Path:	/usr/bin/mkdir
Arguments:	mkdir bin
File size:	88408 bytes
MD5 hash:	088c9d1df5a28ed16c726eca15964cb7

Analysis Process: sh PID: 5227, Parent PID: 5223

General

Start time:	06:01:10
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: mv PID: 5227, Parent PID: 5223

General

Start time:	06:01:10
Start date:	21/01/2022
Path:	/usr/bin/mv
Arguments:	mv /tmp/arm bin/systemd
File size:	149888 bytes
MD5 hash:	504f0590fa482d4da070a702260e3716

Analysis Process: sh PID: 5228, Parent PID: 5223

General

Start time:	06:01:10
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: chmod PID: 5228, Parent PID: 5223

General

Start time:	06:01:10
Start date:	21/01/2022
Path:	/usr/bin/chmod
Arguments:	chmod 777 bin/systemd
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Analysis Process: arm PID: 5229, Parent PID: 5201

General

Start time:	06:01:11
Start date:	21/01/2022
Path:	/tmp/arm
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: arm PID: 5231, Parent PID: 5229

General

Start time:	06:01:11
Start date:	21/01/2022
Path:	/tmp/arm
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report arm

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Runtime Messages

Process Tree

Yara Overview

Initial Sample

Memory Dumps

Jbx Signature Overview

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: arm PID: 5201, Parent PID: 5115

General

Analysis Process: arm PID: 5223, Parent PID: 5201

General

Analysis Process: sh PID: 5223, Parent PID: 5201

General

Analysis Process: sh PID: 5225, Parent PID: 5223

General

Analysis Process: rm PID: 5225, Parent PID: 5223

General

Analysis Process: sh PID: 5226, Parent PID: 5223

General

Analysis Process: mkdir PID: 5226, Parent PID: 5223

General

Analysis Process: sh PID: 5227, Parent PID: 5223

General

Analysis Process: mv PID: 5227, Parent PID: 5223

General

Analysis Process: sh PID: 5228, Parent PID: 5223

General

Linux Analysis Report
arm