Edit tour

Linux Analysis Report
arm7

Overview

General Information

Sample Name:	arm7
Analysis ID:	557445
MD5:	a76e2e6437b384772b6ee03037a6d632
SHA1:	0640e30d9ad0a973536e9805b762748ddc267277
SHA256:	2bd730dc891f395d5bd663c9113ca86d23d046ecfb92f4b7ab28ad72cb40296a
Tags:	Mirai
Infos:

Detection

Mirai Moobot

Score:	100
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Mirai

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Moobot

Uses known network protocols on non-standard ports

Sets full permissions to files and/or directories

Yara signature match

Executes the "mkdir" command used to create folders

Uses the "uname" system call to query kernel version information (possible evasion)

Executes the "chmod" command used to modify permissions

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Sample has stripped symbol table

Sample tries to set the executable flag

Executes commands using a shell command-line interpreter

Executes the "rm" command used to delete files or directories

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Classification

Analysis Advice

All HTTP servers contacted by the sample do not answer. Likely the sample is an old dropper which does no longer work

Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures

Static ELF header machine description suggests that the sample might not execute correctly on this machine

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	557445
Start date:	21.01.2022
Start time:	06:04:21
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 1s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	arm7
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal100.troj.lin@0/0@1/0

Warnings

Report size exceeded maximum capacity and may have missing network information.
TCP Packets have been reduced to 100

Runtime Messages

Command:	/tmp/arm7
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	qazwsxedc
Standard Error:

Process Tree

system is lnxubuntu20

arm7 (PID: 5243, Parent: 5130, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/arm7

arm7 New Fork (PID: 5245, Parent: 5243)

sh (PID: 5245, Parent: 5243, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "rm -rf bin/watchdog && mkdir bin; >bin/watchdog && mv /tmp/arm7 bin/watchdog; chmod 777 bin/watchdog"

sh New Fork (PID: 5247, Parent: 5245)

rm (PID: 5247, Parent: 5245, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf bin/watchdog

sh New Fork (PID: 5248, Parent: 5245)

mkdir (PID: 5248, Parent: 5245, MD5: 088c9d1df5a28ed16c726eca15964cb7) Arguments: mkdir bin

sh New Fork (PID: 5249, Parent: 5245)

mv (PID: 5249, Parent: 5245, MD5: 504f0590fa482d4da070a702260e3716) Arguments: mv /tmp/arm7 bin/watchdog

sh New Fork (PID: 5250, Parent: 5245)

chmod (PID: 5250, Parent: 5245, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod 777 bin/watchdog

arm7 New Fork (PID: 5252, Parent: 5243)

arm7 New Fork (PID: 5254, Parent: 5252)

cleanup

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
arm7	Mirai_Botnet_Malware	Detects Mirai Botnet Malware	Florian Roth	0x18b58:$x1: POST /cdn-cgi/ 0x180d8:$x3: /dev/watchdog 0x18224:$s1: LCOGQGPTGP
arm7	MAL_ELF_LNX_Mirai_Oct10_2	Detects ELF malware Mirai related	Florian Roth	0x18b58:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
arm7	JoeSecurity_Moobot	Yara detected Moobot	Joe Security
arm7	JoeSecurity_Mirai_5	Yara detected Mirai	Joe Security
arm7	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
5243.1.00000000eb7d369e.000000003b9895dc.r-x.sdmp	Mirai_Botnet_Malware	Detects Mirai Botnet Malware	Florian Roth	0x18b58:$x1: POST /cdn-cgi/ 0x180d8:$x3: /dev/watchdog 0x18224:$s1: LCOGQGPTGP
5243.1.00000000eb7d369e.000000003b9895dc.r-x.sdmp	MAL_ELF_LNX_Mirai_Oct10_2	Detects ELF malware Mirai related	Florian Roth	0x18b58:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
5243.1.00000000eb7d369e.000000003b9895dc.r-x.sdmp	JoeSecurity_Moobot	Yara detected Moobot	Joe Security
5243.1.00000000eb7d369e.000000003b9895dc.r-x.sdmp	JoeSecurity_Mirai_5	Yara detected Mirai	Joe Security
5243.1.00000000eb7d369e.000000003b9895dc.r-x.sdmp	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
Process Memory Space: arm7 PID: 5243	JoeSecurity_Moobot	Yara detected Moobot	Joe Security
Click to see the 1 entries

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: arm7

Avira: detected

Multi AV Scanner detection for submitted file

Source: arm7	Virustotal: Detection: 48%			Perma Link
Source: arm7	ReversingLabs: Detection: 55%

Networking

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2030489 ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response 95.181.161.40:55005 -> 192.168.2.23:47080
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 222.111.228.251:23 -> 192.168.2.23:45152
Source: Traffic	Snort IDS: 716 INFO TELNET access 77.233.190.222:23 -> 192.168.2.23:33894
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 222.111.228.251:23 -> 192.168.2.23:45178
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 222.111.228.251:23 -> 192.168.2.23:45204
Source: Traffic	Snort IDS: 716 INFO TELNET access 77.233.190.222:23 -> 192.168.2.23:33938
Source: Traffic	Snort IDS: 716 INFO TELNET access 46.146.232.52:23 -> 192.168.2.23:44310
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 222.111.228.251:23 -> 192.168.2.23:45278
Source: Traffic	Snort IDS: 716 INFO TELNET access 77.233.190.222:23 -> 192.168.2.23:34020
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:51322 -> 212.200.80.138:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 113.105.7.50:23 -> 192.168.2.23:57654
Source: Traffic	Snort IDS: 716 INFO TELNET access 113.105.7.50:23 -> 192.168.2.23:57664
Source: Traffic	Snort IDS: 716 INFO TELNET access 46.146.232.52:23 -> 192.168.2.23:44386
Source: Traffic	Snort IDS: 716 INFO TELNET access 113.105.7.50:23 -> 192.168.2.23:57688
Source: Traffic	Snort IDS: 716 INFO TELNET access 113.105.7.50:23 -> 192.168.2.23:57690
Source: Traffic	Snort IDS: 716 INFO TELNET access 113.105.7.50:23 -> 192.168.2.23:57696

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35540
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35542
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35544
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35546
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35548
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35550
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35552
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35554
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35556
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35558

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 223.181.116.138:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 170.147.68.144:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 48.241.230.249:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 82.113.51.159:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 137.213.221.147:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 1.210.72.104:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 54.247.47.62:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 217.252.60.26:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 38.216.177.220:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 34.35.44.29:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 168.164.222.155:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 169.162.193.193:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 88.50.57.29:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 136.57.77.46:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 182.15.186.205:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 104.135.213.186:2323
Source: global traffic	TCP traffic: 192.168.2.23:47080 -> 95.181.161.40:55005
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 46.87.234.112:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 50.140.24.34:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 35.56.181.163:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 50.90.138.16:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 166.224.185.19:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 178.22.78.88:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 65.225.246.99:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 153.3.69.131:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 72.173.216.86:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 219.239.220.244:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 86.163.153.133:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 186.219.187.243:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 96.53.7.183:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 169.11.32.217:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 4.132.75.174:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 78.166.126.109:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 14.153.58.47:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 152.81.96.225:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 107.27.155.93:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 71.217.169.196:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 39.75.155.116:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 58.240.61.243:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 99.7.117.8:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 102.249.208.106:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 202.140.214.52:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 67.243.38.176:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 219.28.182.246:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 165.219.80.201:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 187.105.199.10:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 147.152.99.25:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 72.214.154.164:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 185.57.229.183:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 42.209.222.147:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 72.86.241.189:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 200.228.252.191:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 75.144.186.191:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 180.227.206.254:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 143.240.52.147:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 210.26.183.45:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 130.173.57.32:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 197.84.169.148:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 147.254.168.234:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 223.203.159.115:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 63.163.177.95:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 96.3.114.23:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 31.53.118.103:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 89.89.157.217:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 110.119.108.47:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 43.10.245.17:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 94.249.253.50:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 25.130.123.37:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 142.188.112.185:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 207.14.173.72:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 63.50.61.2:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 210.48.124.143:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 111.236.233.34:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 74.142.178.117:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 180.3.91.110:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 106.93.146.239:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 19.148.214.78:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 164.219.10.58:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 162.49.129.94:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 4.179.4.143:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 98.65.105.168:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 61.14.57.38:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 174.171.242.91:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 37.32.7.33:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 89.58.106.179:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 70.178.116.93:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 163.146.242.2:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 205.165.193.164:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 66.162.97.138:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 131.198.165.160:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 61.234.37.219:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 207.115.126.6:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 139.135.233.253:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 183.176.13.190:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 121.188.105.128:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 194.113.253.212:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 188.171.255.23:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 208.11.71.208:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 206.74.141.81:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 74.169.72.36:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 128.114.250.104:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 212.18.233.126:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 223.169.74.228:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 71.2.185.33:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 128.19.102.225:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 185.29.112.222:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 150.222.244.133:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 4.69.44.161:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 48.123.134.238:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 221.22.100.39:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 60.220.200.226:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 111.84.8.87:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 189.155.13.183:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 176.72.196.140:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 162.125.118.3:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 199.124.157.234:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 53.123.60.140:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 146.68.228.41:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 129.8.32.251:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 138.47.138.46:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 219.39.232.66:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 20.18.21.149:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 124.115.96.39:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 129.127.213.251:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 145.160.115.41:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 45.245.29.86:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 207.97.18.157:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 78.168.145.62:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 185.86.219.245:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 107.145.73.161:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 43.65.164.143:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 180.73.47.200:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 57.165.46.222:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 165.13.70.207:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 178.52.118.33:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 160.220.169.101:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 212.169.38.18:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 40.69.86.181:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 46.46.235.192:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 118.248.77.150:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 181.20.122.22:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 132.227.41.8:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 58.67.122.45:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 69.202.135.91:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 98.176.6.77:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 207.247.208.101:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 216.84.102.250:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 150.30.193.65:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 213.150.180.71:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 191.238.150.176:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 1.191.60.78:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 151.220.241.240:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 167.77.221.79:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 77.17.108.112:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 90.41.213.209:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 138.169.201.211:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 41.13.207.238:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 128.11.12.250:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 118.177.232.21:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 186.234.143.203:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 54.41.52.188:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 87.68.227.218:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 41.53.23.54:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 5.32.139.184:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 57.91.167.188:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 72.225.164.138:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 88.60.175.61:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 134.137.225.91:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 24.202.124.247:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 223.83.63.185:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 40.93.105.253:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 58.227.23.188:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 208.181.167.198:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 166.81.161.10:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 17.227.200.176:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 8.182.79.45:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 23.50.146.193:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 35.10.165.202:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 209.251.252.88:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 86.46.162.220:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 180.69.132.126:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 49.36.240.12:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 144.86.63.27:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 169.28.225.98:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 63.227.161.255:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 122.238.48.255:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 221.27.192.57:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 86.62.231.146:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 141.168.100.126:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 84.98.248.226:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 62.218.255.254:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 50.199.162.234:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 169.162.91.224:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 51.8.48.178:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 34.122.208.238:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 169.182.118.119:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 183.71.131.239:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 176.204.185.40:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 32.157.205.158:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 125.137.200.250:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 110.203.115.17:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 198.209.42.71:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 170.144.214.212:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 74.235.247.15:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 180.11.156.99:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 199.31.238.229:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 218.213.224.194:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 36.233.63.2:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 130.39.189.45:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 5.41.208.88:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 122.50.60.158:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 103.91.102.97:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 150.132.12.123:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 61.10.102.253:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 87.231.220.194:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 139.133.131.11:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 197.108.7.214:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 152.132.242.39:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 111.150.56.236:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 57.232.122.229:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 27.122.180.1:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 213.81.124.104:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 104.137.53.79:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 92.5.39.90:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 92.226.31.222:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 8.165.226.114:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 14.76.246.22:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 36.136.8.79:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 128.240.151.206:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 203.64.237.164:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 102.93.32.87:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 176.234.79.150:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 13.159.200.225:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 130.55.215.84:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 211.127.25.176:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 85.208.215.45:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 212.98.44.34:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 175.104.201.18:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 202.39.84.72:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 67.230.34.81:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 140.126.180.66:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 66.234.110.69:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 128.227.160.29:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 73.69.47.110:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 139.23.195.204:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 117.73.78.192:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 87.23.199.48:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 213.113.176.110:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 19.185.173.254:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 95.58.56.168:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 74.236.159.100:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 123.213.110.151:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 36.102.213.154:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 131.61.165.144:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 35.105.177.44:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 99.142.127.152:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 124.44.151.48:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 108.57.10.114:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 157.170.79.63:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 54.164.22.196:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 50.187.213.142:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 45.245.98.177:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 60.15.246.164:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 71.155.81.125:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 144.117.208.230:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 59.146.180.0:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 185.194.105.80:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 31.203.81.166:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 18.23.96.93:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 32.117.252.81:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 166.73.50.209:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 188.48.239.70:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 85.5.16.225:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 169.3.151.99:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 147.250.28.190:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 145.156.161.184:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 156.219.33.57:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 109.97.169.123:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 144.113.203.231:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 202.165.237.98:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 203.67.181.64:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 141.249.235.214:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 45.220.125.25:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 220.208.155.33:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 19.140.85.30:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 25.23.232.9:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 115.108.122.102:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 114.183.143.8:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 71.78.228.17:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 155.41.79.217:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 159.4.134.31:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 50.246.250.80:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 182.154.134.5:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 130.16.55.42:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 12.52.19.252:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 208.219.239.134:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 121.175.37.162:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 107.132.238.177:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 101.147.12.231:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 196.36.181.144:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 210.82.62.182:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 159.142.123.11:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 84.157.205.28:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 5.103.36.242:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 8.232.114.93:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 166.213.121.29:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 35.84.255.136:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 193.58.222.247:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 24.51.76.179:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 84.133.255.48:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 202.248.50.105:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 218.132.93.200:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 199.143.6.169:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 31.254.113.126:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 148.102.238.68:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 54.195.24.34:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 183.194.184.141:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 149.11.155.74:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 108.39.176.206:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 201.252.177.39:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 186.213.254.134:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 101.199.56.29:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 141.151.26.132:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 67.54.183.28:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 87.32.207.88:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 157.197.194.214:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 57.127.203.94:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 150.52.137.61:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 191.18.219.45:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 162.239.143.113:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 91.160.66.14:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 100.169.6.105:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 120.27.183.249:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 46.83.202.212:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 64.92.178.203:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 210.26.9.115:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 145.53.100.3:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 119.144.181.220:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 207.221.232.5:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 212.77.31.184:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 210.114.184.48:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 213.77.253.225:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 51.84.87.49:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 149.167.95.237:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 13.121.89.148:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 27.199.150.219:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 42.187.110.12:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 125.242.105.53:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 113.166.20.34:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 148.26.28.48:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 97.3.183.136:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 101.119.18.250:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 156.76.140.190:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 90.53.211.166:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 2.247.174.234:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 77.30.182.147:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 137.63.113.95:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 191.85.7.122:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 95.248.74.0:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 40.132.199.134:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 25.160.183.83:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 138.101.150.15:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 61.173.246.76:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 159.99.96.159:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 51.15.161.149:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 211.136.195.144:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 205.77.204.89:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 112.209.36.231:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 112.136.55.90:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 73.215.4.147:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 143.205.184.251:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 196.206.198.112:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 117.184.94.23:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 137.85.181.61:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 202.182.76.85:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 204.178.37.4:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 9.12.120.181:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 1.35.90.123:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 181.109.42.11:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 65.224.232.19:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 126.197.149.159:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 17.82.217.43:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 46.238.45.61:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 203.133.158.80:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 193.119.215.169:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 193.148.53.195:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 105.207.158.135:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 119.30.45.227:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 165.127.232.215:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 58.172.16.154:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 150.192.168.97:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 95.199.184.19:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 37.96.247.168:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 156.209.0.121:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 65.188.13.115:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 149.112.11.241:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 169.209.104.140:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 181.234.188.75:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 202.110.89.110:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 104.165.136.21:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 5.26.45.146:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 43.166.157.203:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 211.184.82.235:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 20.117.151.145:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 37.81.246.17:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 217.22.200.57:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 129.35.245.105:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 27.182.111.246:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 120.56.198.32:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 101.23.188.103:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 168.236.202.252:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 183.26.21.55:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 218.236.147.198:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 75.60.118.84:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 144.13.120.178:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 75.120.104.110:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 140.207.252.77:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 85.104.89.79:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 91.79.6.242:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 71.242.70.19:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 101.131.46.64:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 165.8.51.174:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 80.40.194.230:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 139.4.67.240:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 44.138.95.164:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 103.83.221.191:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 54.53.46.207:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 201.186.37.80:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 104.38.222.72:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 77.118.167.76:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 199.59.120.184:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 210.108.137.201:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 52.52.198.250:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 173.139.0.139:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 209.247.243.211:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 154.121.89.65:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 12.215.140.15:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 203.61.128.192:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 147.201.26.117:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 198.212.127.200:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 197.71.105.71:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 134.128.195.14:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 187.178.210.142:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 53.50.151.123:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 1.47.16.170:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 146.113.193.243:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 128.207.112.109:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 140.126.87.121:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 139.98.203.216:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 210.145.223.243:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 103.210.162.70:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 31.45.72.83:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 57.107.151.207:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 165.58.72.18:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 144.209.76.22:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 156.234.83.203:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 119.12.39.21:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 66.37.197.78:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 185.9.113.150:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 32.59.144.54:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 167.95.135.63:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 63.119.255.243:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 18.12.135.99:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 4.237.4.49:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 117.66.175.178:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 53.133.82.49:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 143.190.246.53:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 4.15.115.223:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 124.117.31.26:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 110.165.121.56:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 32.148.72.18:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 45.72.160.125:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 159.45.63.67:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 103.133.66.239:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 223.17.61.36:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 66.90.224.107:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 149.178.242.214:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 88.50.146.156:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 219.97.38.107:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 151.251.218.245:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 84.89.95.190:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 134.248.168.179:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 158.197.8.142:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 111.149.10.68:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 118.54.163.110:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 136.5.216.103:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 147.240.7.38:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 97.206.224.71:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 67.224.99.183:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 201.224.48.63:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 74.48.59.49:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 35.139.140.71:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 119.224.195.5:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 194.254.228.119:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 191.24.186.91:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 204.96.84.76:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 91.36.100.109:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 156.248.35.136:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 86.246.18.209:2323
Source: global traffic	TCP traffic: 192.168.2.23:52575 -> 200.86.21.71:2323

Source: /tmp/arm7 (PID: 5243)

Socket: 127.0.0.1::1124

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 223.181.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 117.190.124.128
Source: unknown	TCP traffic detected without corresponding DNS query: 151.42.246.215
Source: unknown	TCP traffic detected without corresponding DNS query: 12.238.109.77
Source: unknown	TCP traffic detected without corresponding DNS query: 208.228.183.191
Source: unknown	TCP traffic detected without corresponding DNS query: 105.129.93.223
Source: unknown	TCP traffic detected without corresponding DNS query: 132.67.146.38
Source: unknown	TCP traffic detected without corresponding DNS query: 197.132.212.160
Source: unknown	TCP traffic detected without corresponding DNS query: 53.165.72.97
Source: unknown	TCP traffic detected without corresponding DNS query: 170.147.68.144
Source: unknown	TCP traffic detected without corresponding DNS query: 200.23.108.226
Source: unknown	TCP traffic detected without corresponding DNS query: 213.208.40.200
Source: unknown	TCP traffic detected without corresponding DNS query: 139.254.47.199
Source: unknown	TCP traffic detected without corresponding DNS query: 107.236.35.164
Source: unknown	TCP traffic detected without corresponding DNS query: 175.80.0.199
Source: unknown	TCP traffic detected without corresponding DNS query: 185.89.184.57
Source: unknown	TCP traffic detected without corresponding DNS query: 222.154.87.138
Source: unknown	TCP traffic detected without corresponding DNS query: 130.131.235.119
Source: unknown	TCP traffic detected without corresponding DNS query: 48.241.230.249
Source: unknown	TCP traffic detected without corresponding DNS query: 101.155.218.79
Source: unknown	TCP traffic detected without corresponding DNS query: 123.88.138.112
Source: unknown	TCP traffic detected without corresponding DNS query: 14.60.196.52
Source: unknown	TCP traffic detected without corresponding DNS query: 43.184.108.184
Source: unknown	TCP traffic detected without corresponding DNS query: 52.202.39.242
Source: unknown	TCP traffic detected without corresponding DNS query: 142.78.105.142
Source: unknown	TCP traffic detected without corresponding DNS query: 149.45.7.209
Source: unknown	TCP traffic detected without corresponding DNS query: 218.253.113.79
Source: unknown	TCP traffic detected without corresponding DNS query: 178.28.53.158
Source: unknown	TCP traffic detected without corresponding DNS query: 12.129.102.189
Source: unknown	TCP traffic detected without corresponding DNS query: 82.113.51.159
Source: unknown	TCP traffic detected without corresponding DNS query: 106.86.74.172
Source: unknown	TCP traffic detected without corresponding DNS query: 157.64.78.29
Source: unknown	TCP traffic detected without corresponding DNS query: 181.17.122.248
Source: unknown	TCP traffic detected without corresponding DNS query: 131.0.103.224
Source: unknown	TCP traffic detected without corresponding DNS query: 31.181.193.66
Source: unknown	TCP traffic detected without corresponding DNS query: 190.1.132.182
Source: unknown	TCP traffic detected without corresponding DNS query: 116.160.120.221
Source: unknown	TCP traffic detected without corresponding DNS query: 201.86.170.222
Source: unknown	TCP traffic detected without corresponding DNS query: 137.213.221.147
Source: unknown	TCP traffic detected without corresponding DNS query: 38.251.202.58
Source: unknown	TCP traffic detected without corresponding DNS query: 8.193.67.106
Source: unknown	TCP traffic detected without corresponding DNS query: 45.205.120.239
Source: unknown	TCP traffic detected without corresponding DNS query: 78.130.129.156
Source: unknown	TCP traffic detected without corresponding DNS query: 135.114.231.4
Source: unknown	TCP traffic detected without corresponding DNS query: 84.172.132.22
Source: unknown	TCP traffic detected without corresponding DNS query: 217.255.71.159
Source: unknown	TCP traffic detected without corresponding DNS query: 115.99.193.17
Source: unknown	TCP traffic detected without corresponding DNS query: 177.213.222.47
Source: unknown	TCP traffic detected without corresponding DNS query: 222.152.212.177
Source: unknown	TCP traffic detected without corresponding DNS query: 178.228.20.144

Source: unknown

DNS traffic detected: queries for: arcticboatz.cz

System Summary

Malicious sample detected (through community Yara rule)

Source: arm7, type: SAMPLE	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: arm7, type: SAMPLE	Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 5243.1.00000000eb7d369e.000000003b9895dc.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5243.1.00000000eb7d369e.000000003b9895dc.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth

Source: arm7, type: SAMPLE	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: arm7, type: SAMPLE	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 5243.1.00000000eb7d369e.000000003b9895dc.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5243.1.00000000eb7d369e.000000003b9895dc.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research

Source: ELF static info symbol of initial sample

.symtab present: no

Source: Initial sample	String containing 'busybox' found: bin/busybox
Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: farm7%s:%dwebservx86_64ppcm68kbin/busyboxbin/watchdogbin/systemd/bin/busybox/bin/watchdog/bin/systemd

Source: classification engine

Classification label: mal100.troj.lin@0/0@1/0

Persistence and Installation Behavior

Sets full permissions to files and/or directories

Source: /bin/sh (PID: 5250)

Chmod executable with 777: /usr/bin/chmod -> chmod 777 bin/watchdog

Source: /bin/sh (PID: 5248)

Mkdir executable: /usr/bin/mkdir -> mkdir bin

Source: /bin/sh (PID: 5250)

Chmod executable: /usr/bin/chmod -> chmod 777 bin/watchdog

Source: /usr/bin/chmod (PID: 5250)

File: /tmp/bin/watchdog (bits: - usr: rwx grp: rwx all: rwx)

Jump to behavior

Source: /tmp/arm7 (PID: 5245)

Shell command executed: /bin/sh -c "rm -rf bin/watchdog && mkdir bin; >bin/watchdog && mv /tmp/arm7 bin/watchdog; chmod 777 bin/watchdog"

Source: /bin/sh (PID: 5247)

Rm executable: /usr/bin/rm -> rm -rf bin/watchdog

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35540
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35542
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35544
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35546
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35548
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35550
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35552
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35554
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35556
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35558

Source: /tmp/arm7 (PID: 5243)

Queries kernel information via 'uname':

Source: arm7, 5243.1.000000008be5b948.00000000d02bc7b3.rw-.sdmp	Binary or memory string: vix86_64/usr/bin/qemu-arm/tmp/arm7SUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/arm7
Source: arm7, 5243.1.00000000147b15dd.00000000ab599e33.rw-.sdmp	Binary or memory string: SV!/etc/qemu-binfmt/arm
Source: arm7, 5243.1.00000000147b15dd.00000000ab599e33.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: arm7, 5243.1.000000008be5b948.00000000d02bc7b3.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: arm7, type: SAMPLE
Source: Yara match	File source: 5243.1.00000000eb7d369e.000000003b9895dc.r-x.sdmp, type: MEMORY

Yara detected Moobot

Source: Yara match	File source: arm7, type: SAMPLE
Source: Yara match	File source: 5243.1.00000000eb7d369e.000000003b9895dc.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: arm7 PID: 5243, type: MEMORYSTR

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: arm7, type: SAMPLE
Source: Yara match	File source: 5243.1.00000000eb7d369e.000000003b9895dc.r-x.sdmp, type: MEMORY

Yara detected Moobot

Source: Yara match	File source: arm7, type: SAMPLE
Source: Yara match	File source: 5243.1.00000000eb7d369e.000000003b9895dc.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: arm7 PID: 5243, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scripting	Path Interception	Path Interception	2 File and Directory Permissions Modification	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Scripting	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	11 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 File Deletion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
arm7	48%	Virustotal		Browse
arm7	56%	ReversingLabs	Linux.Trojan.Mirai
arm7	100%	Avira	LINUX/Mirai.bonb

Dropped Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
arcticboatz.cz	4%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
arcticboatz.cz	95.181.161.40	true	true	4%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
89.244.88.20	unknown	Germany	8881	VERSATELDE	false
38.243.205.45	unknown	United States	36336	NATIXISUS	false
150.254.72.227	unknown	Poland	9112	POZMANPOZMAN-EDUPL	false
167.115.231.112	unknown	United States	17386	GRAINGERUS	false
88.213.227.97	unknown	France	8399	SEWAN-FR	false
128.122.29.231	unknown	United States	12	NYU-DOMAINUS	false
41.29.112.209	unknown	South Africa	29975	VODACOM-ZA	false
131.106.228.81	unknown	United States	6079	RCN-ASUS	false
54.176.161.42	unknown	United States	16509	AMAZON-02US	false
180.118.199.42	unknown	China	137702	CHINATELECOM-JIANGSU-NANJING-IDCNanjingJiangsuProvince	false
121.49.221.72	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false
158.133.31.192	unknown	Switzerland	4616	HKPOLYU-HKInformationTechnologyServicesHK	false
69.245.183.227	unknown	United States	7922	COMCAST-7922US	false
136.116.11.165	unknown	United States	15169	GOOGLEUS	false
81.104.80.69	unknown	United Kingdom	5089	NTLGB	false
148.94.25.77	unknown	United States	786	JANETJiscServicesLimitedGB	false
98.51.41.129	unknown	United States	7922	COMCAST-7922US	false
189.220.156.46	unknown	Mexico	28509	CablemasTelecomunicacionesSAdeCVMX	false
218.98.10.57	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
20.156.174.178	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
121.64.81.231	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	false
80.116.244.216	unknown	Italy	3269	ASN-IBSNAZIT	false
46.36.5.67	unknown	Russian Federation	48642	KTEL-ASEkaterinburgRussiaRU	false
111.119.144.79	unknown	China	38342	CNNIC-SVCNET-APSHANGHAIVSATNETWORKSYSTEMSCOLTDCN	false
199.48.243.166	unknown	United States	22363	PHMGMT-AS1US	false
24.191.167.207	unknown	United States	6128	CABLE-NET-1US	false
191.175.211.88	unknown	Brazil	26615	TIMSABR	false
211.101.17.254	unknown	China	17964	DXTNETBeijingDian-Xin-TongNetworkTechnologiesCoLtd	false
203.44.155.66	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	false
134.241.171.162	unknown	United States	1256	MASSNET-ASUS	false
131.228.43.31	unknown	Finland	200656	NOKIA-EMEAFI	false
196.146.167.242	unknown	Egypt	36935	Vodafone-EG	false
137.234.55.185	unknown	United States	1103	SURFNET-NLSURFnetTheNetherlandsNL	false
98.99.70.146	unknown	United States	62566	STARBUCKSUS	false
128.241.235.110	unknown	United States	2914	NTT-COMMUNICATIONS-2914US	false
152.163.238.165	unknown	United States	12129	123NETUS	false
39.212.214.250	unknown	Indonesia	23693	TELKOMSEL-ASN-IDPTTelekomunikasiSelularID	false
143.224.224.137	unknown	Austria	2036	JOANNEUMJOANNEUMRESEARCHAT	false
151.80.145.18	unknown	Italy	16276	OVHFR	false
105.181.50.118	unknown	Egypt	37069	MOBINILEG	false
173.190.153.159	unknown	United States	7029	WINDSTREAMUS	false
186.152.31.235	unknown	Argentina	7303	TelecomArgentinaSAAR	false
171.44.88.170	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
102.66.4.1	unknown	South Africa	328471	Hero-TelecomsZA	false
220.78.28.186	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
1.192.152.159	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
2.63.69.178	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false
86.222.2.26	unknown	France	3215	FranceTelecom-OrangeFR	false
186.140.126.112	unknown	Argentina	11315	TelefonicaMovilesArgentinaSAMovistarArgentinaAR	false
192.169.38.188	unknown	Singapore	4628	PACIFICINTERNET-AS-APPacificInternetPteLtdSG	false
131.77.142.148	unknown	United States	5974	DNIC-ASBLK-05800-06055US	false
125.165.67.14	unknown	Indonesia	7713	TELKOMNET-AS-APPTTelekomunikasiIndonesiaID	false
153.23.135.175	unknown	United States	6035	DNIC-ASBLK-05800-06055US	false
209.84.106.224	unknown	United States	3356	LEVEL3US	false
129.116.67.107	unknown	United States	18	UTEXASUS	false
90.223.27.70	unknown	United Kingdom	5607	BSKYB-BROADBAND-ASGB	false
218.236.189.226	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
188.195.163.241	unknown	Germany	31334	KABELDEUTSCHLAND-ASDE	false
24.197.106.250	unknown	United States	20115	CHARTER-20115US	false
133.229.179.199	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
150.34.171.252	unknown	Japan	9991	SHUDO-UHiroshimaShudoUniversityJP	false
216.221.87.6	unknown	Canada	7992	COGECOWAVECA	false
158.224.185.45	unknown	United States	9159	CreditAgricoleFR	false
105.121.229.83	unknown	Nigeria	36873	VNL1-ASNG	false
12.66.163.165	unknown	United States	7018	ATT-INTERNET4US	false
201.2.252.218	unknown	Brazil	8167	BrasilTelecomSA-FilialDistritoFederalBR	false
42.202.153.211	unknown	China	134762	CHINANET-LIAONING-DALIAN-MANCHINANETLiaoningprovinceDali	false
210.48.124.143	unknown	New Zealand	4770	ICONZ-ASICONZLtdNZ	false
76.212.146.151	unknown	United States	7018	ATT-INTERNET4US	false
193.122.104.171	unknown	United States	31898	ORACLE-BMC-31898US	false
144.112.151.160	unknown	United States	3634	SFASU-ASUS	false
194.202.200.68	unknown	United Kingdom	702	UUNETUS	false
212.93.155.41	unknown	Romania	8708	RCS-RDS73-75DrStaicoviciRO	false
142.75.189.154	unknown	Canada	3900	TEXASNET-ASNUS	false
160.52.131.245	unknown	Austria	2381	WISCNET1-ASUS	false
36.34.215.226	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
114.58.80.77	unknown	Indonesia	4795	INDOSATM2-IDINDOSATM2ASNID	false
119.45.82.84	unknown	China	45090	CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa	false
125.223.24.12	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false
157.245.211.172	unknown	United States	14061	DIGITALOCEAN-ASNUS	false
40.78.216.75	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
123.194.54.251	unknown	Taiwan; Republic of China (ROC)	38841	KBRO-AS-TWkbroCOLtdTW	false
63.71.13.10	unknown	United States	13380	ASN-CUSTUS	false
165.164.162.250	unknown	United States	2381	WISCNET1-ASUS	false
75.152.207.199	unknown	Canada	852	ASN852CA	false
223.138.80.187	unknown	Taiwan; Republic of China (ROC)	17421	EMOME-NETMobileBusinessGroupTW	false
86.79.155.52	unknown	France	15557	LDCOMNETFR	false
108.143.6.204	unknown	United States	16509	AMAZON-02US	false
32.146.125.147	unknown	United States	2686	ATGS-MMD-ASUS	false
48.63.246.40	unknown	United States	2686	ATGS-MMD-ASUS	false
206.27.103.109	unknown	United States	3561	CENTURYLINK-LEGACY-SAVVISUS	false
36.192.214.241	unknown	China	24138	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
157.237.150.70	unknown	Norway	2119	TELENOR-NEXTELTelenorNorgeASNO	false
14.60.196.52	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
157.73.206.112	unknown	Japan	131932	JEIS-NETJREastInformationSystemsCompanyJP	false
161.226.162.238	unknown	United States	3709	NET-CITY-SAUS	false
116.93.43.5	unknown	Philippines	23930	IPVG-AS-APIP-ConvergeDataCenterIncPH	false
9.79.229.204	unknown	United States	3356	LEVEL3US	false
110.129.128.165	unknown	Japan	9824	JTCL-JP-ASJupiterTelecommunicationCoLtdJP	false
203.34.33.137	unknown	Australia	7545	TPG-INTERNET-APTPGTelecomLimitedAU	false

File type:	ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.120571086954281
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	arm7
File size:	107924
MD5:	a76e2e6437b384772b6ee03037a6d632
SHA1:	0640e30d9ad0a973536e9805b762748ddc267277
SHA256:	2bd730dc891f395d5bd663c9113ca86d23d046ecfb92f4b7ab28ad72cb40296a
SHA512:	6a2e153205f78ed6be5b989f23ca5c9cd44ed3c37281e99e59997d3b138924edc0b8dfde07ebb2217e06b67f3cbd63aeba2b25c3b0ca727762a47091e344ec8f
SSDEEP:	3072:JrIuUGKQm4F4VzfdKuaam+edAE5bft3KVFvwwbZnz:JrIuUGKV4iVLNaam+edAEJft8IwRz
File Content Preview:	.ELF..............(.........4...<.......4. ...(........pp...p...p... ... ...............................................................\4..........................................Q.td..................................-...L..................@-.,@...0....S

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x8194
Flags:	0x4000002
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	5
Section Header Offset:	107324
Section Header Size:	40
Number of Section Headers:	15
Header String Table Index:	14

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Link	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0	0
.init	PROGBITS	0x80d4	0xd4	0x10	0x0	0x6	AX	0	4
.text	PROGBITS	0x80f0	0xf0	0x17e6c	0x0	0x6	AX	0	16
.fini	PROGBITS	0x1ff5c	0x17f5c	0x10	0x0	0x6	AX	0	4
.rodata	PROGBITS	0x1ff70	0x17f70	0x1de8	0x0	0x2	A	0	8
.ARM.extab	PROGBITS	0x21d58	0x19d58	0x18	0x0	0x2	A	0	4
.ARM.exidx	ARM_EXIDX	0x21d70	0x19d70	0x120	0x0	0x82	AL	2	4
.eh_frame	PROGBITS	0x2a000	0x1a000	0x4	0x0	0x3	WA	0	4
.tbss	NOBITS	0x2a004	0x1a004	0x8	0x0	0x403	WAT	0	4
.init_array	INIT_ARRAY	0x2a004	0x1a004	0x4	0x0	0x3	WA	0	4
.fini_array	FINI_ARRAY	0x2a008	0x1a008	0x4	0x0	0x3	WA	0	4
.got	PROGBITS	0x2a010	0x1a010	0xa8	0x4	0x3	WA	0	4
.data	PROGBITS	0x2a0b8	0x1a0b8	0x210	0x0	0x3	WA	0	4
.bss	NOBITS	0x2a2c8	0x1a2c8	0x3194	0x0	0x3	WA	0	4
.shstrtab	STRTAB	0x0	0x1a2c8	0x73	0x0	0x0		0	1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
EXIDX	0x19d70	0x21d70	0x21d70	0x120	0x120	1.8471	0x4	R	0x4	.ARM.exidx
LOAD	0x0	0x8000	0x8000	0x19e90	0x19e90	3.4054	0x5	R E	0x8000	.init .text .fini .rodata .ARM.extab .ARM.exidx
LOAD	0x1a000	0x2a000	0x2a000	0x2c8	0x345c	2.1490	0x6	RW	0x8000	.eh_frame .init_array .fini_array .got .data .bss
TLS	0x1a004	0x2a004	0x2a004	0x0	0x8	0.0000	0x4	R	0x4
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 21, 2022 06:05:07.699419975 CET	52575	2323	192.168.2.23	223.181.116.138
Jan 21, 2022 06:05:07.699465036 CET	52575	23	192.168.2.23	24.110.53.51
Jan 21, 2022 06:05:07.699476004 CET	52575	23	192.168.2.23	117.190.124.128
Jan 21, 2022 06:05:07.699486971 CET	52575	23	192.168.2.23	151.42.246.215
Jan 21, 2022 06:05:07.699492931 CET	52575	23	192.168.2.23	12.238.109.77
Jan 21, 2022 06:05:07.699502945 CET	52575	23	192.168.2.23	208.228.183.191
Jan 21, 2022 06:05:07.699503899 CET	52575	23	192.168.2.23	105.129.93.223
Jan 21, 2022 06:05:07.699506998 CET	52575	23	192.168.2.23	132.67.146.38
Jan 21, 2022 06:05:07.699510098 CET	52575	23	192.168.2.23	197.132.212.160
Jan 21, 2022 06:05:07.699517012 CET	52575	23	192.168.2.23	53.165.72.97
Jan 21, 2022 06:05:07.699532986 CET	52575	2323	192.168.2.23	170.147.68.144
Jan 21, 2022 06:05:07.699583054 CET	52575	23	192.168.2.23	200.23.108.226
Jan 21, 2022 06:05:07.699590921 CET	52575	23	192.168.2.23	213.208.40.200
Jan 21, 2022 06:05:07.699599028 CET	52575	23	192.168.2.23	139.254.47.199
Jan 21, 2022 06:05:07.699587107 CET	52575	23	192.168.2.23	107.236.35.164
Jan 21, 2022 06:05:07.699615955 CET	52575	23	192.168.2.23	175.80.0.199
Jan 21, 2022 06:05:07.699636936 CET	52575	23	192.168.2.23	185.89.184.57
Jan 21, 2022 06:05:07.699637890 CET	52575	23	192.168.2.23	222.154.87.138
Jan 21, 2022 06:05:07.699639082 CET	52575	23	192.168.2.23	130.131.235.119
Jan 21, 2022 06:05:07.699642897 CET	52575	2323	192.168.2.23	48.241.230.249
Jan 21, 2022 06:05:07.699644089 CET	52575	23	192.168.2.23	101.155.218.79
Jan 21, 2022 06:05:07.699645996 CET	52575	23	192.168.2.23	123.88.138.112
Jan 21, 2022 06:05:07.699651957 CET	52575	23	192.168.2.23	14.60.196.52
Jan 21, 2022 06:05:07.699655056 CET	52575	23	192.168.2.23	43.184.108.184
Jan 21, 2022 06:05:07.699664116 CET	52575	23	192.168.2.23	52.202.39.242
Jan 21, 2022 06:05:07.699677944 CET	52575	23	192.168.2.23	142.78.105.142
Jan 21, 2022 06:05:07.699678898 CET	52575	23	192.168.2.23	149.45.7.209
Jan 21, 2022 06:05:07.699687004 CET	52575	23	192.168.2.23	218.253.113.79
Jan 21, 2022 06:05:07.699697018 CET	52575	23	192.168.2.23	178.28.53.158
Jan 21, 2022 06:05:07.699702024 CET	52575	23	192.168.2.23	12.129.102.189
Jan 21, 2022 06:05:07.699712038 CET	52575	2323	192.168.2.23	82.113.51.159
Jan 21, 2022 06:05:07.699718952 CET	52575	23	192.168.2.23	106.86.74.172
Jan 21, 2022 06:05:07.699726105 CET	52575	23	192.168.2.23	157.64.78.29
Jan 21, 2022 06:05:07.699727058 CET	52575	23	192.168.2.23	181.17.122.248
Jan 21, 2022 06:05:07.699737072 CET	52575	23	192.168.2.23	131.0.103.224
Jan 21, 2022 06:05:07.699738979 CET	52575	23	192.168.2.23	31.181.193.66
Jan 21, 2022 06:05:07.699742079 CET	52575	23	192.168.2.23	190.1.132.182
Jan 21, 2022 06:05:07.699778080 CET	52575	23	192.168.2.23	116.160.120.221
Jan 21, 2022 06:05:07.699784040 CET	52575	23	192.168.2.23	201.86.170.222
Jan 21, 2022 06:05:07.699796915 CET	52575	2323	192.168.2.23	137.213.221.147
Jan 21, 2022 06:05:07.699800968 CET	52575	23	192.168.2.23	38.251.202.58
Jan 21, 2022 06:05:07.699800968 CET	52575	23	192.168.2.23	8.193.67.106
Jan 21, 2022 06:05:07.699803114 CET	52575	23	192.168.2.23	45.205.120.239
Jan 21, 2022 06:05:07.699805021 CET	52575	23	192.168.2.23	78.130.129.156
Jan 21, 2022 06:05:07.699805975 CET	52575	23	192.168.2.23	135.114.231.4
Jan 21, 2022 06:05:07.699816942 CET	52575	23	192.168.2.23	84.172.132.22
Jan 21, 2022 06:05:07.699817896 CET	52575	23	192.168.2.23	217.255.71.159
Jan 21, 2022 06:05:07.699820995 CET	52575	23	192.168.2.23	115.99.193.17
Jan 21, 2022 06:05:07.699820995 CET	52575	2323	192.168.2.23	1.210.72.104
Jan 21, 2022 06:05:07.699821949 CET	52575	23	192.168.2.23	177.213.222.47
Jan 21, 2022 06:05:07.699826956 CET	52575	23	192.168.2.23	222.152.212.177
Jan 21, 2022 06:05:07.699830055 CET	52575	23	192.168.2.23	178.228.20.144
Jan 21, 2022 06:05:07.699826956 CET	52575	23	192.168.2.23	9.99.86.230
Jan 21, 2022 06:05:07.699831963 CET	52575	23	192.168.2.23	114.7.226.112
Jan 21, 2022 06:05:07.699832916 CET	52575	23	192.168.2.23	71.107.142.132
Jan 21, 2022 06:05:07.699834108 CET	52575	23	192.168.2.23	87.109.19.116
Jan 21, 2022 06:05:07.699840069 CET	52575	23	192.168.2.23	141.33.192.100
Jan 21, 2022 06:05:07.699840069 CET	52575	23	192.168.2.23	120.212.190.21
Jan 21, 2022 06:05:07.699846983 CET	52575	23	192.168.2.23	192.210.221.177
Jan 21, 2022 06:05:07.699847937 CET	52575	23	192.168.2.23	66.98.160.218
Jan 21, 2022 06:05:07.699851036 CET	52575	23	192.168.2.23	168.213.105.234
Jan 21, 2022 06:05:07.699855089 CET	52575	23	192.168.2.23	125.111.104.32
Jan 21, 2022 06:05:07.699856997 CET	52575	23	192.168.2.23	23.118.170.236
Jan 21, 2022 06:05:07.699857950 CET	52575	2323	192.168.2.23	54.247.47.62
Jan 21, 2022 06:05:07.699858904 CET	52575	23	192.168.2.23	74.152.59.223
Jan 21, 2022 06:05:07.699866056 CET	52575	23	192.168.2.23	94.45.40.152
Jan 21, 2022 06:05:07.699868917 CET	52575	23	192.168.2.23	63.186.250.147
Jan 21, 2022 06:05:07.699870110 CET	52575	23	192.168.2.23	111.16.7.33
Jan 21, 2022 06:05:07.699872971 CET	52575	23	192.168.2.23	188.184.60.242
Jan 21, 2022 06:05:07.699873924 CET	52575	2323	192.168.2.23	217.252.60.26
Jan 21, 2022 06:05:07.699877024 CET	52575	23	192.168.2.23	2.63.69.178
Jan 21, 2022 06:05:07.699877977 CET	52575	23	192.168.2.23	131.207.183.211
Jan 21, 2022 06:05:07.699878931 CET	52575	23	192.168.2.23	42.156.101.79
Jan 21, 2022 06:05:07.699881077 CET	52575	23	192.168.2.23	38.135.149.13
Jan 21, 2022 06:05:07.699886084 CET	52575	23	192.168.2.23	119.186.222.205
Jan 21, 2022 06:05:07.699886084 CET	52575	23	192.168.2.23	186.95.195.208
Jan 21, 2022 06:05:07.699888945 CET	52575	23	192.168.2.23	185.112.15.235
Jan 21, 2022 06:05:07.699893951 CET	52575	23	192.168.2.23	125.28.237.162
Jan 21, 2022 06:05:07.699901104 CET	52575	2323	192.168.2.23	38.216.177.220
Jan 21, 2022 06:05:07.699906111 CET	52575	23	192.168.2.23	104.231.163.13
Jan 21, 2022 06:05:07.699906111 CET	52575	23	192.168.2.23	156.130.90.76
Jan 21, 2022 06:05:07.699945927 CET	52575	23	192.168.2.23	106.56.17.32
Jan 21, 2022 06:05:07.699954987 CET	52575	23	192.168.2.23	220.73.128.29
Jan 21, 2022 06:05:07.699966908 CET	52575	23	192.168.2.23	67.229.163.128
Jan 21, 2022 06:05:07.699968100 CET	52575	23	192.168.2.23	195.100.2.91
Jan 21, 2022 06:05:07.699970961 CET	52575	23	192.168.2.23	205.252.199.22
Jan 21, 2022 06:05:07.699985027 CET	52575	23	192.168.2.23	174.80.19.29
Jan 21, 2022 06:05:07.699986935 CET	52575	23	192.168.2.23	175.182.154.49
Jan 21, 2022 06:05:07.699995995 CET	52575	23	192.168.2.23	137.64.21.24
Jan 21, 2022 06:05:07.700001001 CET	52575	23	192.168.2.23	139.219.28.23
Jan 21, 2022 06:05:07.700009108 CET	52575	2323	192.168.2.23	34.35.44.29
Jan 21, 2022 06:05:07.700018883 CET	52575	23	192.168.2.23	73.62.164.166
Jan 21, 2022 06:05:07.700030088 CET	52575	23	192.168.2.23	52.249.188.102
Jan 21, 2022 06:05:07.700038910 CET	52575	23	192.168.2.23	19.66.16.86
Jan 21, 2022 06:05:07.700050116 CET	52575	23	192.168.2.23	136.144.203.119
Jan 21, 2022 06:05:07.700052023 CET	52575	23	192.168.2.23	113.104.206.12
Jan 21, 2022 06:05:07.700053930 CET	52575	23	192.168.2.23	165.90.54.253
Jan 21, 2022 06:05:07.700062990 CET	52575	23	192.168.2.23	110.17.98.32
Jan 21, 2022 06:05:07.700063944 CET	52575	23	192.168.2.23	139.64.28.150
Jan 21, 2022 06:05:07.700074911 CET	52575	2323	192.168.2.23	168.164.222.155

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 21, 2022 06:05:07.692047119 CET	192.168.2.23	8.8.8.8	0xb3da	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 21, 2022 06:05:07.710294008 CET	8.8.8.8	192.168.2.23	0xb3da	No error (0)	arcticboatz.cz		95.181.161.40	A (IP address)	IN (0x0001)

System Behavior

Analysis Process: arm7 PID: 5243, Parent PID: 5130

General

Start time:	06:05:06
Start date:	21/01/2022
Path:	/tmp/arm7
Arguments:	/tmp/arm7
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: arm7 PID: 5245, Parent PID: 5243

General

Start time:	06:05:06
Start date:	21/01/2022
Path:	/tmp/arm7
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: sh PID: 5245, Parent PID: 5243

General

Start time:	06:05:06
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	/bin/sh -c "rm -rf bin/watchdog && mkdir bin; >bin/watchdog && mv /tmp/arm7 bin/watchdog; chmod 777 bin/watchdog"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 5247, Parent PID: 5245

General

Start time:	06:05:06
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: rm PID: 5247, Parent PID: 5245

General

Start time:	06:05:06
Start date:	21/01/2022
Path:	/usr/bin/rm
Arguments:	rm -rf bin/watchdog
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Analysis Process: sh PID: 5248, Parent PID: 5245

General

Start time:	06:05:06
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: mkdir PID: 5248, Parent PID: 5245

General

Start time:	06:05:06
Start date:	21/01/2022
Path:	/usr/bin/mkdir
Arguments:	mkdir bin
File size:	88408 bytes
MD5 hash:	088c9d1df5a28ed16c726eca15964cb7

Analysis Process: sh PID: 5249, Parent PID: 5245

General

Start time:	06:05:06
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: mv PID: 5249, Parent PID: 5245

General

Start time:	06:05:06
Start date:	21/01/2022
Path:	/usr/bin/mv
Arguments:	mv /tmp/arm7 bin/watchdog
File size:	149888 bytes
MD5 hash:	504f0590fa482d4da070a702260e3716

Analysis Process: sh PID: 5250, Parent PID: 5245

General

Start time:	06:05:06
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: chmod PID: 5250, Parent PID: 5245

General

Start time:	06:05:06
Start date:	21/01/2022
Path:	/usr/bin/chmod
Arguments:	chmod 777 bin/watchdog
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Analysis Process: arm7 PID: 5252, Parent PID: 5243

General

Start time:	06:05:06
Start date:	21/01/2022
Path:	/tmp/arm7
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: arm7 PID: 5254, Parent PID: 5252

General

Start time:	06:05:06
Start date:	21/01/2022
Path:	/tmp/arm7
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report arm7

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Runtime Messages

Process Tree

Yara Overview

Initial Sample

Memory Dumps

Jbx Signature Overview

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: arm7 PID: 5243, Parent PID: 5130

General

Analysis Process: arm7 PID: 5245, Parent PID: 5243

General

Analysis Process: sh PID: 5245, Parent PID: 5243

General

Analysis Process: sh PID: 5247, Parent PID: 5245

General

Analysis Process: rm PID: 5247, Parent PID: 5245

General

Analysis Process: sh PID: 5248, Parent PID: 5245

General

Analysis Process: mkdir PID: 5248, Parent PID: 5245

General

Analysis Process: sh PID: 5249, Parent PID: 5245

General

Analysis Process: mv PID: 5249, Parent PID: 5245

General

Analysis Process: sh PID: 5250, Parent PID: 5245

Linux Analysis Report
arm7