Edit tour

Linux Analysis Report
x86

Overview

General Information

Sample Name:	x86
Analysis ID:	557498
MD5:	1780fa4bcc6aa107d0bbbc7bf00dfd0a
SHA1:	9f8a838e4b0f42289cb04c047b4534f4d034e90f
SHA256:	0033a14ee6ebda0d95e4b9db23926c1fc0a201c8d51fa3beabd2409a3b5c5d97
Tags:	Mirai
Infos:

Detection

Mirai Moobot

Score:	96
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Mirai

Multi AV Scanner detection for submitted file

Yara detected Moobot

Machine Learning detection for sample

Sets full permissions to files and/or directories

Yara signature match

Sample has stripped symbol table

Executes the "mkdir" command used to create folders

Sample tries to set the executable flag

Executes the "chmod" command used to modify permissions

Executes commands using a shell command-line interpreter

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Executes the "rm" command used to delete files or directories

Sample listens on a socket

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Classification

Analysis Advice

All HTTP servers contacted by the sample do not answer. Likely the sample is an old dropper which does no longer work

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	557498
Start date:	21.01.2022
Start time:	08:26:17
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 56s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	x86
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal96.troj.lin@0/0@1/0

Warnings

Report size exceeded maximum capacity and may have missing network information.
TCP Packets have been reduced to 100

Runtime Messages

Command:	/tmp/x86
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	qazwsxedc
Standard Error:

Process Tree

system is lnxubuntu20

x86 (PID: 5222, Parent: 5117, MD5: 1780fa4bcc6aa107d0bbbc7bf00dfd0a) Arguments: /tmp/x86

x86 New Fork (PID: 5223, Parent: 5222)

sh (PID: 5223, Parent: 5222, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf bin/systemd && mkdir bin; >bin/systemd && mv /tmp/x86 bin/systemd; chmod 777 bin/systemd"

sh New Fork (PID: 5224, Parent: 5223)

rm (PID: 5224, Parent: 5223, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf bin/systemd

sh New Fork (PID: 5225, Parent: 5223)

mkdir (PID: 5225, Parent: 5223, MD5: 088c9d1df5a28ed16c726eca15964cb7) Arguments: mkdir bin

sh New Fork (PID: 5226, Parent: 5223)

mv (PID: 5226, Parent: 5223, MD5: 504f0590fa482d4da070a702260e3716) Arguments: mv /tmp/x86 bin/systemd

sh New Fork (PID: 5227, Parent: 5223)

chmod (PID: 5227, Parent: 5223, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod 777 bin/systemd

x86 New Fork (PID: 5228, Parent: 5222)

x86 New Fork (PID: 5229, Parent: 5228)

cleanup

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
x86	Mirai_Botnet_Malware	Detects Mirai Botnet Malware	Florian Roth	0x104aa:$x1: POST /cdn-cgi/ 0xfa63:$x3: /dev/watchdog 0xfb8c:$s1: LCOGQGPTGP
x86	JoeSecurity_Moobot	Yara detected Moobot	Joe Security
x86	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
5222.1.00000000a0bbd638.00000000b1c13d1a.r-x.sdmp	Mirai_Botnet_Malware	Detects Mirai Botnet Malware	Florian Roth	0x104aa:$x1: POST /cdn-cgi/ 0xfa63:$x3: /dev/watchdog 0xfb8c:$s1: LCOGQGPTGP
5222.1.00000000a0bbd638.00000000b1c13d1a.r-x.sdmp	JoeSecurity_Moobot	Yara detected Moobot	Joe Security
5222.1.00000000a0bbd638.00000000b1c13d1a.r-x.sdmp	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
Process Memory Space: x86 PID: 5222	JoeSecurity_Moobot	Yara detected Moobot	Joe Security

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: x86

Avira: detected

Multi AV Scanner detection for submitted file

Source: x86	Virustotal: Detection: 36%			Perma Link
Source: x86	ReversingLabs: Detection: 53%

Machine Learning detection for sample

Source: x86

Joe Sandbox ML: detected

Networking

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2030489 ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response 95.181.161.40:55005 -> 192.168.2.23:47080
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 68.180.106.57:23 -> 192.168.2.23:44448
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 68.180.106.57:23 -> 192.168.2.23:44448
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:43120 -> 187.248.39.129:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 203.189.152.57:23 -> 192.168.2.23:43418
Source: Traffic	Snort IDS: 716 INFO TELNET access 103.80.112.238:23 -> 192.168.2.23:40044
Source: Traffic	Snort IDS: 716 INFO TELNET access 181.216.85.93:23 -> 192.168.2.23:57536
Source: Traffic	Snort IDS: 716 INFO TELNET access 1.217.228.22:23 -> 192.168.2.23:58760
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 181.216.85.93:23 -> 192.168.2.23:57536
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 81.18.201.36:23 -> 192.168.2.23:42260
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 81.18.201.36:23 -> 192.168.2.23:42260
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 68.180.106.57:23 -> 192.168.2.23:44502
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 68.180.106.57:23 -> 192.168.2.23:44502
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 81.18.201.36:23 -> 192.168.2.23:42270
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 81.18.201.36:23 -> 192.168.2.23:42270
Source: Traffic	Snort IDS: 716 INFO TELNET access 181.216.85.93:23 -> 192.168.2.23:57556
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 181.216.85.93:23 -> 192.168.2.23:57556
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 81.18.201.36:23 -> 192.168.2.23:42276
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 81.18.201.36:23 -> 192.168.2.23:42276
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:43192 -> 187.248.39.129:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 81.18.201.36:23 -> 192.168.2.23:42284
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 81.18.201.36:23 -> 192.168.2.23:42284
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:42296 -> 81.18.201.36:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 181.216.85.93:23 -> 192.168.2.23:57582
Source: Traffic	Snort IDS: 716 INFO TELNET access 203.189.152.57:23 -> 192.168.2.23:43500
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 81.18.201.36:23 -> 192.168.2.23:42296
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 81.18.201.36:23 -> 192.168.2.23:42296
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:42310 -> 81.18.201.36:23
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 181.216.85.93:23 -> 192.168.2.23:57582
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 81.18.201.36:23 -> 192.168.2.23:42310
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 81.18.201.36:23 -> 192.168.2.23:42310
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 81.18.201.36:23 -> 192.168.2.23:42320
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 81.18.201.36:23 -> 192.168.2.23:42320
Source: Traffic	Snort IDS: 716 INFO TELNET access 103.80.112.238:23 -> 192.168.2.23:40130
Source: Traffic	Snort IDS: 716 INFO TELNET access 181.216.85.93:23 -> 192.168.2.23:57614
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:42334 -> 81.18.201.36:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:57614 -> 181.216.85.93:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 103.80.112.238:23 -> 192.168.2.23:40138
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 181.216.85.93:23 -> 192.168.2.23:57614
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 81.18.201.36:23 -> 192.168.2.23:42334
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 81.18.201.36:23 -> 192.168.2.23:42334
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 81.18.201.36:23 -> 192.168.2.23:42340
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 81.18.201.36:23 -> 192.168.2.23:42340
Source: Traffic	Snort IDS: 716 INFO TELNET access 1.217.228.22:23 -> 192.168.2.23:58856
Source: Traffic	Snort IDS: 716 INFO TELNET access 181.216.85.93:23 -> 192.168.2.23:57656
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 81.18.201.36:23 -> 192.168.2.23:42366
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 81.18.201.36:23 -> 192.168.2.23:42366
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 181.216.85.93:23 -> 192.168.2.23:57656
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 221.178.131.82:23 -> 192.168.2.23:57214
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 68.180.106.57:23 -> 192.168.2.23:44618
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 68.180.106.57:23 -> 192.168.2.23:44618
Source: Traffic	Snort IDS: 716 INFO TELNET access 181.216.85.93:23 -> 192.168.2.23:57666
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 181.216.85.93:23 -> 192.168.2.23:57666
Source: Traffic	Snort IDS: 716 INFO TELNET access 203.189.152.57:23 -> 192.168.2.23:43582
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:38408 -> 200.60.4.217:23
Source: Traffic	Snort IDS: 716 INFO TELNET access 181.216.85.93:23 -> 192.168.2.23:57674
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 181.216.85.93:23 -> 192.168.2.23:57674
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:38420 -> 200.60.4.217:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:57236 -> 221.178.131.82:23

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 142.231.212.83:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 38.21.102.127:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 61.62.75.59:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 181.120.56.201:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 54.218.103.54:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 94.105.51.120:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 170.66.243.166:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 183.145.45.199:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 126.76.186.241:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 87.236.91.17:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 156.235.158.35:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 23.196.171.59:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 50.246.185.165:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 173.126.88.248:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 12.19.69.182:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 164.208.223.104:2323
Source: global traffic	TCP traffic: 192.168.2.23:47080 -> 95.181.161.40:55005
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 140.95.2.164:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 155.65.71.80:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 59.169.238.71:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 48.59.19.216:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 62.126.231.126:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 171.85.9.238:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 37.128.7.218:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 160.152.135.139:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 190.51.99.64:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 63.226.28.16:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 196.11.123.85:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 198.3.7.63:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 97.146.228.213:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 74.117.53.8:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 40.253.40.126:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 217.140.97.255:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 111.112.217.93:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 48.63.117.174:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 108.12.41.195:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 24.185.130.11:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 40.238.199.160:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 57.252.5.78:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 145.107.241.235:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 53.197.71.250:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 96.55.100.186:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 81.151.113.175:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 125.159.241.2:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 105.65.162.101:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 43.169.177.248:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 27.102.181.223:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 219.61.68.3:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 92.58.188.73:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 187.180.66.23:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 57.174.90.60:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 25.185.189.231:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 135.226.140.229:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 87.38.234.4:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 41.62.229.239:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 40.46.216.45:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 17.77.228.81:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 147.197.139.32:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 41.191.39.130:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 104.148.21.146:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 120.205.210.203:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 45.195.231.109:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 154.27.219.90:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 58.30.154.241:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 221.109.127.8:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 137.93.125.255:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 25.57.7.238:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 86.219.133.69:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 161.196.21.90:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 59.65.221.42:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 24.175.101.102:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 60.31.107.227:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 123.139.7.64:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 112.230.231.189:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 152.155.99.233:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 216.70.44.236:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 204.113.112.254:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 184.153.159.222:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 96.122.127.113:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 207.185.81.204:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 85.244.144.46:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 153.192.39.116:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 188.224.120.3:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 105.41.204.127:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 106.64.53.38:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 109.201.235.219:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 191.188.145.102:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 198.96.182.210:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 60.10.112.8:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 104.213.88.165:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 23.209.151.7:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 96.131.76.255:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 123.211.31.7:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 74.166.158.94:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 166.143.12.167:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 120.184.118.35:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 220.248.196.75:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 168.224.212.60:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 111.206.104.55:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 200.115.250.56:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 202.221.255.159:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 41.105.17.120:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 178.81.239.156:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 82.54.60.116:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 128.151.158.87:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 156.23.236.104:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 185.234.228.177:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 118.18.125.180:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 101.154.127.41:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 201.175.105.251:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 123.7.6.76:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 196.190.1.47:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 209.211.229.215:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 96.130.75.186:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 27.157.200.145:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 220.137.124.113:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 113.74.85.202:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 114.34.103.25:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 219.160.155.238:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 173.218.224.211:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 89.90.145.136:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 118.250.32.209:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 141.167.194.245:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 131.200.228.238:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 75.255.24.15:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 173.167.132.52:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 96.232.235.75:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 167.220.161.15:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 24.100.40.124:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 223.235.181.97:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 185.8.36.54:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 166.185.19.13:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 61.11.218.34:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 212.234.137.187:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 108.36.122.23:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 135.153.224.51:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 116.82.118.44:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 163.146.221.169:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 25.38.99.71:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 155.162.203.28:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 183.212.101.134:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 36.118.160.93:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 152.147.125.64:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 52.29.168.22:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 62.43.45.203:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 113.245.84.250:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 107.0.63.100:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 167.186.232.152:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 177.29.151.73:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 164.94.56.231:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 201.64.123.137:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 39.102.161.47:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 32.21.208.24:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 83.200.17.199:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 179.131.52.86:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 80.144.232.33:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 142.126.43.62:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 47.116.125.69:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 218.9.11.84:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 79.220.191.102:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 39.236.144.201:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 59.21.9.251:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 39.204.25.249:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 148.59.226.246:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 91.194.19.157:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 207.56.251.50:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 166.61.56.230:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 44.159.31.52:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 78.187.167.106:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 153.148.60.160:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 209.242.93.45:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 32.199.166.125:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 5.65.195.76:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 75.76.98.72:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 8.206.129.110:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 145.103.63.225:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 20.61.60.90:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 58.8.85.128:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 117.46.182.9:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 203.47.167.69:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 111.248.238.185:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 193.253.239.212:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 43.29.124.207:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 79.5.30.93:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 203.4.135.116:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 124.118.65.110:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 197.9.247.229:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 210.165.141.230:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 154.78.187.11:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 58.134.12.14:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 74.218.11.170:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 40.39.15.128:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 105.138.133.248:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 65.20.86.245:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 73.50.17.185:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 100.247.20.164:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 74.212.179.123:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 183.17.134.82:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 168.149.20.89:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 210.77.208.99:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 48.161.198.60:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 160.203.51.206:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 92.194.231.229:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 32.230.63.92:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 66.6.54.195:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 87.154.48.241:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 143.50.246.26:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 92.161.193.212:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 176.99.135.166:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 193.100.197.226:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 53.89.49.10:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 221.87.90.126:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 79.26.243.233:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 139.163.212.55:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 203.23.85.2:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 67.194.175.20:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 223.50.249.23:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 17.211.123.99:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 115.21.68.74:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 205.11.122.11:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 107.83.176.187:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 157.56.59.33:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 97.202.92.0:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 12.44.48.121:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 34.235.16.233:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 138.173.89.159:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 153.55.235.201:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 197.6.252.203:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 76.47.89.56:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 5.22.214.1:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 201.21.34.213:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 161.16.109.56:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 124.59.248.154:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 116.19.152.54:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 81.193.114.233:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 163.216.173.86:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 122.139.0.115:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 194.119.155.221:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 217.169.8.178:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 118.244.133.224:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 13.57.69.255:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 204.159.111.29:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 73.149.56.129:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 163.194.41.7:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 79.47.81.228:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 221.200.208.73:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 76.133.164.163:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 45.142.98.219:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 71.138.3.197:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 58.49.44.204:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 147.219.190.148:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 218.164.116.22:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 204.151.111.240:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 161.113.25.155:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 182.89.12.88:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 125.76.130.26:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 87.28.250.178:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 32.130.203.86:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 97.126.143.142:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 211.252.240.1:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 4.220.25.80:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 205.69.50.13:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 23.86.69.221:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 86.42.155.12:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 48.130.204.6:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 128.12.28.181:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 1.156.181.103:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 164.243.242.60:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 67.74.222.214:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 8.120.54.83:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 72.75.96.21:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 14.130.224.15:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 75.212.91.141:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 121.92.171.22:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 148.188.147.170:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 167.54.192.161:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 13.63.74.236:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 143.187.114.82:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 86.178.5.146:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 186.155.9.255:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 50.249.202.5:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 105.149.10.104:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 60.119.37.85:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 125.24.102.92:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 207.82.93.56:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 100.187.38.74:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 46.73.180.209:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 144.29.208.73:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 222.237.242.205:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 202.88.190.130:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 34.126.231.201:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 217.50.233.230:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 195.27.16.109:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 54.99.95.39:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 52.204.142.52:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 167.200.146.121:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 14.235.170.40:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 131.42.106.12:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 213.179.186.42:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 51.181.104.76:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 120.53.142.207:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 1.92.131.122:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 94.177.120.169:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 158.15.139.125:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 175.74.140.252:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 188.98.115.137:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 208.201.54.37:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 24.118.54.214:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 102.2.77.198:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 173.105.196.87:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 20.49.40.194:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 142.168.3.115:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 157.146.141.120:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 207.134.135.165:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 112.50.62.63:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 98.165.174.90:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 140.172.197.152:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 129.128.187.251:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 108.172.79.114:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 130.150.118.128:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 68.245.234.27:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 170.6.131.111:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 9.28.91.254:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 84.49.28.26:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 221.135.167.114:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 97.19.22.180:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 148.73.12.238:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 40.70.8.20:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 195.62.113.89:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 92.11.207.219:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 154.115.210.13:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 161.124.50.1:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 9.112.76.235:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 27.241.218.247:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 62.191.172.130:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 83.61.140.171:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 46.5.220.59:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 1.145.198.149:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 50.238.58.144:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 106.224.162.162:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 142.83.197.47:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 221.215.242.90:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 186.121.120.22:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 70.106.168.199:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 129.149.185.215:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 162.66.135.87:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 105.5.78.37:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 47.104.46.174:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 123.96.91.29:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 206.23.70.185:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 209.81.175.251:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 180.4.30.216:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 19.43.152.120:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 91.36.183.68:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 120.120.165.210:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 121.184.153.12:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 18.153.89.132:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 23.19.147.252:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 51.223.134.244:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 158.212.48.199:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 169.229.72.75:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 194.233.186.125:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 169.222.38.203:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 47.43.163.136:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 142.176.42.64:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 18.185.13.209:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 20.73.51.54:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 218.104.143.93:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 130.8.89.45:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 17.255.145.248:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 202.63.81.152:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 100.160.201.16:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 173.2.58.76:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 48.43.16.213:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 148.73.45.225:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 27.102.240.137:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 155.17.123.39:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 151.159.168.174:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 169.184.36.44:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 154.98.186.231:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 163.66.174.202:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 86.210.31.163:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 49.216.127.189:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 116.200.61.74:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 162.55.116.8:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 74.206.140.146:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 104.101.202.148:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 93.108.148.108:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 133.242.226.85:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 59.153.126.53:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 166.238.240.66:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 213.132.14.85:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 150.123.201.87:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 179.5.230.40:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 113.151.179.65:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 8.132.217.124:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 135.239.120.102:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 164.64.200.187:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 142.79.15.68:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 25.252.219.16:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 142.67.163.208:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 92.175.114.192:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 70.66.170.138:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 133.204.177.171:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 189.133.23.91:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 8.95.171.251:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 135.244.53.225:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 66.128.3.86:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 47.77.115.79:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 147.70.71.210:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 4.43.219.184:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 88.184.233.226:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 198.221.212.94:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 101.138.245.241:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 85.90.71.126:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 206.3.218.51:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 145.18.82.137:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 177.72.245.83:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 166.157.52.60:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 112.4.71.37:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 163.109.157.85:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 13.69.205.109:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 123.101.86.147:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 163.22.185.152:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 196.62.1.143:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 150.25.236.34:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 207.54.224.190:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 128.218.16.44:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 107.167.36.208:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 144.121.161.1:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 159.200.239.99:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 137.16.214.207:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 209.36.206.194:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 98.48.128.153:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 178.102.169.26:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 76.154.182.179:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 105.142.152.90:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 142.249.55.246:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 210.42.93.1:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 96.122.138.152:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 211.247.36.101:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 98.243.76.112:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 41.47.46.69:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 179.86.157.161:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 141.69.251.145:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 126.35.234.124:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 138.181.175.20:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 97.3.131.142:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 2.4.222.24:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 181.93.150.126:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 86.136.28.5:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 157.150.82.225:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 181.172.124.138:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 49.118.230.243:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 168.92.10.110:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 118.141.139.85:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 37.60.29.35:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 31.62.177.79:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 163.253.191.0:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 129.3.88.182:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 13.104.58.220:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 95.34.145.194:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 170.51.237.110:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 105.124.167.209:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 159.217.158.173:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 222.66.13.237:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 112.165.223.18:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 105.150.238.50:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 72.21.65.204:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 176.249.3.208:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 64.57.71.216:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 217.188.94.83:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 128.158.145.204:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 41.233.218.137:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 145.149.13.165:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 222.27.53.111:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 98.60.80.7:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 218.159.26.167:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 87.49.47.35:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 106.226.93.162:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 25.91.216.29:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 166.204.61.27:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 125.180.161.18:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 194.85.109.14:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 89.166.77.232:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 25.150.133.106:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 196.26.132.109:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 115.229.246.25:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 217.210.84.40:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 173.237.168.121:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 8.137.134.241:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 44.89.237.114:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 126.121.36.125:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 147.223.234.121:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 18.212.144.40:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 160.45.183.189:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 95.43.75.216:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 61.224.11.38:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 196.5.193.148:2323
Source: global traffic	TCP traffic: 192.168.2.23:49014 -> 123.5.56.31:2323

Source: /tmp/x86 (PID: 5222)

Socket: 127.0.0.1::1124

Source: unknown

DNS traffic detected: queries for: arcticboatz.cz

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 219.220.101.68
Source: unknown	TCP traffic detected without corresponding DNS query: 84.119.230.83
Source: unknown	TCP traffic detected without corresponding DNS query: 142.231.212.83
Source: unknown	TCP traffic detected without corresponding DNS query: 174.9.182.198
Source: unknown	TCP traffic detected without corresponding DNS query: 140.142.157.105
Source: unknown	TCP traffic detected without corresponding DNS query: 217.156.178.192
Source: unknown	TCP traffic detected without corresponding DNS query: 203.124.80.26
Source: unknown	TCP traffic detected without corresponding DNS query: 38.21.102.127
Source: unknown	TCP traffic detected without corresponding DNS query: 75.188.46.204
Source: unknown	TCP traffic detected without corresponding DNS query: 1.6.194.75
Source: unknown	TCP traffic detected without corresponding DNS query: 148.73.149.41
Source: unknown	TCP traffic detected without corresponding DNS query: 137.142.255.180
Source: unknown	TCP traffic detected without corresponding DNS query: 140.239.1.218
Source: unknown	TCP traffic detected without corresponding DNS query: 167.31.164.83
Source: unknown	TCP traffic detected without corresponding DNS query: 54.142.138.125
Source: unknown	TCP traffic detected without corresponding DNS query: 35.92.121.43
Source: unknown	TCP traffic detected without corresponding DNS query: 196.91.90.25
Source: unknown	TCP traffic detected without corresponding DNS query: 45.235.16.89
Source: unknown	TCP traffic detected without corresponding DNS query: 130.224.198.17
Source: unknown	TCP traffic detected without corresponding DNS query: 90.15.39.230
Source: unknown	TCP traffic detected without corresponding DNS query: 61.62.75.59
Source: unknown	TCP traffic detected without corresponding DNS query: 190.143.236.145
Source: unknown	TCP traffic detected without corresponding DNS query: 221.250.41.134
Source: unknown	TCP traffic detected without corresponding DNS query: 27.185.1.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.64.44
Source: unknown	TCP traffic detected without corresponding DNS query: 152.128.19.125
Source: unknown	TCP traffic detected without corresponding DNS query: 181.120.56.201
Source: unknown	TCP traffic detected without corresponding DNS query: 40.124.152.92
Source: unknown	TCP traffic detected without corresponding DNS query: 4.94.220.105
Source: unknown	TCP traffic detected without corresponding DNS query: 189.64.42.171
Source: unknown	TCP traffic detected without corresponding DNS query: 20.200.55.75
Source: unknown	TCP traffic detected without corresponding DNS query: 129.153.102.24
Source: unknown	TCP traffic detected without corresponding DNS query: 92.169.178.66
Source: unknown	TCP traffic detected without corresponding DNS query: 155.245.169.255
Source: unknown	TCP traffic detected without corresponding DNS query: 25.136.157.196
Source: unknown	TCP traffic detected without corresponding DNS query: 113.192.88.80
Source: unknown	TCP traffic detected without corresponding DNS query: 218.244.141.186
Source: unknown	TCP traffic detected without corresponding DNS query: 31.183.125.132
Source: unknown	TCP traffic detected without corresponding DNS query: 146.98.33.96
Source: unknown	TCP traffic detected without corresponding DNS query: 203.150.88.240
Source: unknown	TCP traffic detected without corresponding DNS query: 221.137.163.178
Source: unknown	TCP traffic detected without corresponding DNS query: 54.218.103.54
Source: unknown	TCP traffic detected without corresponding DNS query: 5.44.129.65
Source: unknown	TCP traffic detected without corresponding DNS query: 94.105.51.120
Source: unknown	TCP traffic detected without corresponding DNS query: 31.225.15.191
Source: unknown	TCP traffic detected without corresponding DNS query: 187.199.202.28
Source: unknown	TCP traffic detected without corresponding DNS query: 64.61.239.13
Source: unknown	TCP traffic detected without corresponding DNS query: 57.247.68.221
Source: unknown	TCP traffic detected without corresponding DNS query: 162.17.96.184
Source: unknown	TCP traffic detected without corresponding DNS query: 200.121.41.161

System Summary

Malicious sample detected (through community Yara rule)

Source: x86, type: SAMPLE	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5222.1.00000000a0bbd638.00000000b1c13d1a.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth

Source: x86, type: SAMPLE	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5222.1.00000000a0bbd638.00000000b1c13d1a.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b

Source: ELF static info symbol of initial sample

.symtab present: no

Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: fx86_64webserv%s:%darm7ppcm68k/bin/busybox/bin/watchdog/bin/systemd

Source: classification engine

Classification label: mal96.troj.lin@0/0@1/0

Persistence and Installation Behavior

Sets full permissions to files and/or directories

Source: /bin/sh (PID: 5227)

Chmod executable with 777: /usr/bin/chmod -> chmod 777 bin/systemd

Source: /bin/sh (PID: 5225)

Mkdir executable: /usr/bin/mkdir -> mkdir bin

Source: /usr/bin/chmod (PID: 5227)

File: /tmp/bin/systemd (bits: - usr: rwx grp: rwx all: rwx)

Jump to behavior

Source: /bin/sh (PID: 5227)

Chmod executable: /usr/bin/chmod -> chmod 777 bin/systemd

Source: /tmp/x86 (PID: 5223)

Shell command executed: sh -c "rm -rf bin/systemd && mkdir bin; >bin/systemd && mv /tmp/x86 bin/systemd; chmod 777 bin/systemd"

Source: /bin/sh (PID: 5224)

Rm executable: /usr/bin/rm -> rm -rf bin/systemd

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: x86, type: SAMPLE
Source: Yara match	File source: 5222.1.00000000a0bbd638.00000000b1c13d1a.r-x.sdmp, type: MEMORY

Yara detected Moobot

Source: Yara match	File source: x86, type: SAMPLE
Source: Yara match	File source: 5222.1.00000000a0bbd638.00000000b1c13d1a.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x86 PID: 5222, type: MEMORYSTR

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: x86, type: SAMPLE
Source: Yara match	File source: 5222.1.00000000a0bbd638.00000000b1c13d1a.r-x.sdmp, type: MEMORY

Yara detected Moobot

Source: Yara match	File source: x86, type: SAMPLE
Source: Yara match	File source: 5222.1.00000000a0bbd638.00000000b1c13d1a.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x86 PID: 5222, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scripting	Path Interception	Path Interception	2 File and Directory Permissions Modification	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Scripting	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 File Deletion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
x86	36%	Virustotal		Browse
x86	53%	ReversingLabs	Linux.Trojan.Gafgyt
x86	100%	Avira	LINUX/Gafgyt.vka
x86	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
arcticboatz.cz	4%	Virustotal		Browse

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
arcticboatz.cz	95.181.161.40	true	true	4%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
93.159.75.28	unknown	Croatia (LOCAL Name: Hrvatska)	5391	T-HTCroatianTelecomIncHR	false
221.207.171.0	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
114.156.106.5	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
106.87.226.13	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
72.80.164.124	unknown	United States	701	UUNETUS	false
157.95.204.143	unknown	United States	29700	CYPRESS-SEMICONDUCTORUS	false
51.127.189.197	unknown	United Kingdom	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
168.193.156.82	unknown	United States	27435	OPSOURCE-INCUS	false
2.173.32.247	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
203.86.142.26	unknown	Hong Kong	4760	HKTIMS-APHKTLimitedHK	false
133.111.13.207	unknown	Japan	2497	IIJInternetInitiativeJapanIncJP	false
188.30.226.8	unknown	United Kingdom	206067	H3GUKGB	false
77.251.26.232	unknown	Netherlands	6830	LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding	false
77.11.152.161	unknown	Germany	6805	TDDE-ASN1DE	false
221.246.233.161	unknown	Japan	17506	UCOMARTERIANetworksCorporationJP	false
157.146.114.253	unknown	United States	719	ELISA-ASHelsinkiFinlandEU	false
58.120.90.66	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
19.215.98.92	unknown	United States	3	MIT-GATEWAYSUS	false
24.181.167.141	unknown	United States	20115	CHARTER-20115US	false
72.22.196.243	unknown	United States	62648	CMB-ASNUS	false
150.192.43.49	unknown	United States	1479	DNIC-ASBLK-01478-01479US	false
131.40.166.4	unknown	United States	452	AFCONC-BLOCK1-ASUS	false
95.104.118.215	unknown	Georgia	16010	MAGTICOMASCaucasus-OnlineGE	false
178.252.213.17	unknown	Russian Federation	24689	ROSINTEL-ASRU	false
210.222.91.114	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
118.250.121.168	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
133.107.241.23	unknown	Japan	2907	SINET-ASResearchOrganizationofInformationandSystemsN	false
27.153.37.134	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
205.124.31.118	unknown	United States	210	WEST-NET-WESTUS	false
165.68.7.86	unknown	United States	29885	UCHHS-ASUS	false
147.51.71.88	unknown	United States	1491	DNIC-AS-01491US	false
186.1.227.220	unknown	Argentina	52251	NORTECHAR	false
176.153.184.104	unknown	France	5410	BOUYGTEL-ISPFR	false
206.246.3.148	unknown	United States	27258	KAMOPOWERUS	false
125.6.109.58	unknown	Japan	17707	DATAHOTEL-JPASforDATAHOTELwhichisoneofiDCinJapan	false
45.25.135.219	unknown	United States	7018	ATT-INTERNET4US	false
174.156.87.240	unknown	United States	10507	SPCSUS	false
166.119.39.139	unknown	Japan	131790	SANOFI-SG6RafflesQuay18-00SG	false
13.66.19.93	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
71.82.198.43	unknown	United States	20115	CHARTER-20115US	false
218.158.83.43	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
222.35.64.191	unknown	China	24138	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
61.111.155.62	unknown	Korea Republic of	4670	HYUNDAI-KRShinbiroKR	false
139.189.85.92	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
197.39.112.164	unknown	Egypt	8452	TE-ASTE-ASEG	false
24.118.54.214	unknown	United States	7922	COMCAST-7922US	false
159.38.88.62	unknown	Sweden	19399	SLLNETEU	false
20.138.253.203	unknown	United States	22562	CSC-IGN-EMEAUS	false
166.157.52.60	unknown	United States	22394	CELLCOUS	false
118.142.173.236	unknown	Hong Kong	9304	HUTCHISON-AS-APHGCGlobalCommunicationsLimitedHK	false
170.109.110.70	unknown	United States	7018	ATT-INTERNET4US	false
118.182.191.81	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
157.111.35.111	unknown	Japan	2907	SINET-ASResearchOrganizationofInformationandSystemsN	false
48.158.241.178	unknown	United States	2686	ATGS-MMD-ASUS	false
45.228.1.204	unknown	Brazil	267054	LINKWAYTELECOMBR	false
42.70.155.245	unknown	Taiwan; Republic of China (ROC)	17421	EMOME-NETMobileBusinessGroupTW	false
135.91.191.89	unknown	United States	10455	LUCENT-CIOUS	false
103.159.15.26	unknown	unknown	134687	TWIDC-AS-APTWIDCLimitedHK	false
43.139.190.48	unknown	Japan	4249	LILLY-ASUS	false
69.68.215.177	unknown	United States	18494	CENTURYLINK-LEGACY-EMBARQ-WRBGUS	false
121.88.133.138	unknown	Korea Republic of	10036	CNM-AS-KRDLIVEKR	false
27.92.184.219	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
103.17.68.226	unknown	Bangladesh	58814	BANKASIALIMITED-AS-APBankAsiaLimitedBD	false
102.212.38.252	unknown	unknown	36926	CKL1-ASNKE	false
64.61.239.13	unknown	United States	32946	RPU-1892US	false
169.196.167.204	unknown	United States	20249	AS20249US	false
134.59.211.185	unknown	France	2200	FR-RENATERReseauNationaldetelecommunicationspourlaTec	false
18.227.222.44	unknown	United States	16509	AMAZON-02US	false
24.119.81.142	unknown	United States	11492	CABLEONEUS	false
165.91.25.157	unknown	United States	3794	TAMUUS	false
164.53.91.16	unknown	Australia	10235	NAB-AS-APNationalAustraliaBankLimitedAU	false
5.40.77.248	unknown	Spain	207412	JUSTOES	false
43.199.125.167	unknown	Japan	4249	LILLY-ASUS	false
187.212.87.3	unknown	Mexico	8151	UninetSAdeCVMX	false
121.92.171.22	unknown	Japan	2510	INFOWEBFUJITSULIMITEDJP	false
31.225.15.191	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
83.27.125.187	unknown	Poland	5617	TPNETPL	false
169.105.87.50	unknown	United States	37611	AfrihostZA	false
208.145.68.220	unknown	United States	3561	CENTURYLINK-LEGACY-SAVVISUS	false
76.166.83.90	unknown	United States	20001	TWC-20001-PACWESTUS	false
84.58.245.7	unknown	Germany	3209	VODANETInternationalIP-BackboneofVodafoneDE	false
165.122.99.65	unknown	United States	3376	MCI-ASNUS	false
121.57.253.53	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
101.235.253.19	unknown	Korea Republic of	10036	CNM-AS-KRDLIVEKR	false
149.123.223.163	unknown	United States	174	COGENT-174US	false
192.215.186.199	unknown	United States	4266	CERNET-ASN-BLOCKUS	false
142.142.45.130	unknown	Canada	808	GONET-ASN-1CA	false
79.81.192.121	unknown	France	15557	LDCOMNETFR	false
84.123.88.75	unknown	Spain	12357	COMUNITELSPAINES	false
150.30.62.61	unknown	Japan	7516	TOHKNETTohokuIntelligentTelecommunicationCoIncJP	false
219.50.108.55	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
78.180.254.88	unknown	Turkey	9121	TTNETTR	false
1.63.17.173	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
141.25.92.54	unknown	Germany	680	DFNVereinzurFoerderungeinesDeutschenForschungsnetzese	false
94.157.167.179	unknown	Netherlands	50266	TMOBILE-THUISNL	false
133.116.140.222	unknown	Japan	2522	PPP-EXPJapanNetworkInformationCenterJP	false
60.87.24.58	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
91.159.84.100	unknown	Finland	719	ELISA-ASHelsinkiFinlandEU	false
140.65.179.96	unknown	United States	23700	FASTNET-AS-IDLinknet-FastnetASNID	false
211.175.192.49	unknown	Korea Republic of	9457	DREAMX-ASDREAMLINECOKR	false

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.341796052094503
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	x86
File size:	74656
MD5:	1780fa4bcc6aa107d0bbbc7bf00dfd0a
SHA1:	9f8a838e4b0f42289cb04c047b4534f4d034e90f
SHA256:	0033a14ee6ebda0d95e4b9db23926c1fc0a201c8d51fa3beabd2409a3b5c5d97
SHA512:	14252ac161a4a741e0a8e9a0111c15950a901710b8c027489389543f891f4de8e8e2fd0a6b6f0597b6d27a5cc6f8ca0f50c5e863a836b449b17551ed49f41851
SSDEEP:	1536:9DbhNzyVTW72M0p6jI2n4ms0QpRm8yfjChkgUDQHQzeTBnk9:9RNzgoRY6jbn9sl48GChklQHQzeTBnk9
File Content Preview:	.ELF..............>.......@.....@....... !..........@.8...@.......................@.......@.....p.......p.......................x.......x.Q.....x.Q.....h........1..............Q.td....................................................H...._........H........

Static ELF Info

ELF header
Class:	ELF64
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Advanced Micro Devices X86-64
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x400194
Flags:	0x0
ELF Header Size:	64
Program Header Offset:	64
Program Header Size:	56
Number of Program Headers:	3
Section Header Offset:	74016
Section Header Size:	64
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x4000e8	0xe8	0x13	0x0	0x6	AX	1
.text	PROGBITS	0x400100	0x100	0xf816	0x0	0x6	AX	16
.fini	PROGBITS	0x40f916	0xf916	0xe	0x0	0x6	AX	1
.rodata	PROGBITS	0x40f940	0xf940	0x2330	0x0	0x2	A	32
.ctors	PROGBITS	0x511c78	0x11c78	0x10	0x0	0x3	WA	8
.dtors	PROGBITS	0x511c88	0x11c88	0x10	0x0	0x3	WA	8
.data	PROGBITS	0x511ca0	0x11ca0	0x440	0x0	0x3	WA	32
.bss	NOBITS	0x5120e0	0x120e0	0x2ca8	0x0	0x3	WA	32
.shstrtab	STRTAB	0x0	0x120e0	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0x11c70	0x11c70	3.7570	0x5	R E	0x100000	.init .text .fini .rodata
LOAD	0x11c78	0x511c78	0x511c78	0x468	0x3110	1.4240	0x6	RW	0x100000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x8

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 21, 2022 08:26:57.663871050 CET	49014	23	192.168.2.23	219.220.101.68
Jan 21, 2022 08:26:57.663883924 CET	49014	23	192.168.2.23	84.119.230.83
Jan 21, 2022 08:26:57.663909912 CET	49014	2323	192.168.2.23	142.231.212.83
Jan 21, 2022 08:26:57.663922071 CET	49014	23	192.168.2.23	174.9.182.198
Jan 21, 2022 08:26:57.663932085 CET	49014	23	192.168.2.23	140.142.157.105
Jan 21, 2022 08:26:57.663935900 CET	49014	23	192.168.2.23	217.156.178.192
Jan 21, 2022 08:26:57.663940907 CET	49014	23	192.168.2.23	203.124.80.26
Jan 21, 2022 08:26:57.663942099 CET	49014	2323	192.168.2.23	38.21.102.127
Jan 21, 2022 08:26:57.663947105 CET	49014	23	192.168.2.23	75.188.46.204
Jan 21, 2022 08:26:57.663952112 CET	49014	23	192.168.2.23	1.6.194.75
Jan 21, 2022 08:26:57.663958073 CET	49014	23	192.168.2.23	148.73.149.41
Jan 21, 2022 08:26:57.663954973 CET	49014	23	192.168.2.23	137.142.255.180
Jan 21, 2022 08:26:57.663953066 CET	49014	23	192.168.2.23	140.239.1.218
Jan 21, 2022 08:26:57.663964033 CET	49014	23	192.168.2.23	167.31.164.83
Jan 21, 2022 08:26:57.663969040 CET	49014	23	192.168.2.23	54.142.138.125
Jan 21, 2022 08:26:57.663970947 CET	49014	23	192.168.2.23	35.92.121.43
Jan 21, 2022 08:26:57.663974047 CET	49014	23	192.168.2.23	196.91.90.25
Jan 21, 2022 08:26:57.663980961 CET	49014	23	192.168.2.23	45.235.16.89
Jan 21, 2022 08:26:57.663985968 CET	49014	23	192.168.2.23	130.224.198.17
Jan 21, 2022 08:26:57.663989067 CET	49014	23	192.168.2.23	90.15.39.230
Jan 21, 2022 08:26:57.663991928 CET	49014	2323	192.168.2.23	61.62.75.59
Jan 21, 2022 08:26:57.663995981 CET	49014	23	192.168.2.23	190.143.236.145
Jan 21, 2022 08:26:57.663997889 CET	49014	23	192.168.2.23	221.250.41.134
Jan 21, 2022 08:26:57.664005995 CET	49014	23	192.168.2.23	27.185.1.94
Jan 21, 2022 08:26:57.664012909 CET	49014	23	192.168.2.23	23.44.64.44
Jan 21, 2022 08:26:57.664016008 CET	49014	23	192.168.2.23	152.128.19.125
Jan 21, 2022 08:26:57.664020061 CET	49014	2323	192.168.2.23	181.120.56.201
Jan 21, 2022 08:26:57.664022923 CET	49014	23	192.168.2.23	40.124.152.92
Jan 21, 2022 08:26:57.664027929 CET	49014	23	192.168.2.23	4.94.220.105
Jan 21, 2022 08:26:57.664035082 CET	49014	23	192.168.2.23	189.64.42.171
Jan 21, 2022 08:26:57.664037943 CET	49014	23	192.168.2.23	20.200.55.75
Jan 21, 2022 08:26:57.664040089 CET	49014	23	192.168.2.23	129.153.102.24
Jan 21, 2022 08:26:57.664045095 CET	49014	23	192.168.2.23	92.169.178.66
Jan 21, 2022 08:26:57.664048910 CET	49014	23	192.168.2.23	155.245.169.255
Jan 21, 2022 08:26:57.665641069 CET	49014	23	192.168.2.23	25.136.157.196
Jan 21, 2022 08:26:57.665677071 CET	49014	23	192.168.2.23	113.192.88.80
Jan 21, 2022 08:26:57.665695906 CET	49014	23	192.168.2.23	218.244.141.186
Jan 21, 2022 08:26:57.665707111 CET	49014	23	192.168.2.23	31.183.125.132
Jan 21, 2022 08:26:57.665709972 CET	49014	23	192.168.2.23	146.98.33.96
Jan 21, 2022 08:26:57.665710926 CET	49014	23	192.168.2.23	203.150.88.240
Jan 21, 2022 08:26:57.665715933 CET	49014	23	192.168.2.23	221.137.163.178
Jan 21, 2022 08:26:57.665728092 CET	49014	2323	192.168.2.23	54.218.103.54
Jan 21, 2022 08:26:57.665741920 CET	49014	23	192.168.2.23	5.44.129.65
Jan 21, 2022 08:26:57.665745020 CET	49014	2323	192.168.2.23	94.105.51.120
Jan 21, 2022 08:26:57.665750980 CET	49014	23	192.168.2.23	31.225.15.191
Jan 21, 2022 08:26:57.665754080 CET	49014	23	192.168.2.23	187.199.202.28
Jan 21, 2022 08:26:57.665756941 CET	49014	23	192.168.2.23	64.61.239.13
Jan 21, 2022 08:26:57.665756941 CET	49014	23	192.168.2.23	57.247.68.221
Jan 21, 2022 08:26:57.665757895 CET	49014	23	192.168.2.23	162.17.96.184
Jan 21, 2022 08:26:57.665760994 CET	49014	23	192.168.2.23	200.121.41.161
Jan 21, 2022 08:26:57.665766001 CET	49014	23	192.168.2.23	96.24.95.245
Jan 21, 2022 08:26:57.665771961 CET	49014	23	192.168.2.23	166.254.220.116
Jan 21, 2022 08:26:57.665775061 CET	49014	23	192.168.2.23	82.232.93.98
Jan 21, 2022 08:26:57.665779114 CET	49014	23	192.168.2.23	186.96.207.198
Jan 21, 2022 08:26:57.665783882 CET	49014	23	192.168.2.23	158.37.53.244
Jan 21, 2022 08:26:57.665785074 CET	49014	23	192.168.2.23	209.8.83.238
Jan 21, 2022 08:26:57.665786028 CET	49014	23	192.168.2.23	114.71.235.203
Jan 21, 2022 08:26:57.665787935 CET	49014	23	192.168.2.23	145.100.65.102
Jan 21, 2022 08:26:57.665793896 CET	49014	23	192.168.2.23	38.57.185.204
Jan 21, 2022 08:26:57.665796995 CET	49014	23	192.168.2.23	94.164.163.3
Jan 21, 2022 08:26:57.665800095 CET	49014	23	192.168.2.23	136.187.160.177
Jan 21, 2022 08:26:57.665802956 CET	49014	23	192.168.2.23	155.61.135.174
Jan 21, 2022 08:26:57.665803909 CET	49014	23	192.168.2.23	172.198.3.225
Jan 21, 2022 08:26:57.665810108 CET	49014	23	192.168.2.23	161.154.190.104
Jan 21, 2022 08:26:57.665812969 CET	49014	23	192.168.2.23	109.134.70.233
Jan 21, 2022 08:26:57.665812969 CET	49014	2323	192.168.2.23	170.66.243.166
Jan 21, 2022 08:26:57.665819883 CET	49014	23	192.168.2.23	122.177.155.216
Jan 21, 2022 08:26:57.665831089 CET	49014	23	192.168.2.23	223.39.249.103
Jan 21, 2022 08:26:57.665834904 CET	49014	23	192.168.2.23	45.50.163.26
Jan 21, 2022 08:26:57.665846109 CET	49014	23	192.168.2.23	163.46.208.131
Jan 21, 2022 08:26:57.665848970 CET	49014	23	192.168.2.23	20.142.16.35
Jan 21, 2022 08:26:57.665851116 CET	49014	23	192.168.2.23	100.224.207.209
Jan 21, 2022 08:26:57.665854931 CET	49014	23	192.168.2.23	104.178.105.237
Jan 21, 2022 08:26:57.665858030 CET	49014	23	192.168.2.23	188.124.233.55
Jan 21, 2022 08:26:57.665859938 CET	49014	23	192.168.2.23	181.118.6.21
Jan 21, 2022 08:26:57.665875912 CET	49014	23	192.168.2.23	35.201.25.179
Jan 21, 2022 08:26:57.665894985 CET	49014	2323	192.168.2.23	183.145.45.199
Jan 21, 2022 08:26:57.665904999 CET	49014	23	192.168.2.23	1.244.47.176
Jan 21, 2022 08:26:57.665904045 CET	49014	23	192.168.2.23	89.49.84.211
Jan 21, 2022 08:26:57.665915012 CET	49014	23	192.168.2.23	136.29.252.171
Jan 21, 2022 08:26:57.665915966 CET	49014	23	192.168.2.23	54.47.170.226
Jan 21, 2022 08:26:57.665915966 CET	49014	23	192.168.2.23	189.62.14.115
Jan 21, 2022 08:26:57.665920019 CET	49014	23	192.168.2.23	35.243.37.190
Jan 21, 2022 08:26:57.665920973 CET	49014	23	192.168.2.23	122.174.108.173
Jan 21, 2022 08:26:57.665925980 CET	49014	23	192.168.2.23	118.249.151.85
Jan 21, 2022 08:26:57.665927887 CET	49014	23	192.168.2.23	65.78.192.175
Jan 21, 2022 08:26:57.665934086 CET	49014	23	192.168.2.23	222.239.196.121
Jan 21, 2022 08:26:57.665941954 CET	49014	2323	192.168.2.23	126.76.186.241
Jan 21, 2022 08:26:57.665949106 CET	49014	23	192.168.2.23	25.197.223.197
Jan 21, 2022 08:26:57.665951014 CET	49014	23	192.168.2.23	176.192.132.185
Jan 21, 2022 08:26:57.665958881 CET	49014	23	192.168.2.23	202.193.62.212
Jan 21, 2022 08:26:57.665960073 CET	49014	23	192.168.2.23	144.0.14.9
Jan 21, 2022 08:26:57.665967941 CET	49014	23	192.168.2.23	113.228.173.202
Jan 21, 2022 08:26:57.665970087 CET	49014	23	192.168.2.23	168.25.135.197
Jan 21, 2022 08:26:57.665977955 CET	49014	23	192.168.2.23	135.31.63.152
Jan 21, 2022 08:26:57.665978909 CET	49014	23	192.168.2.23	85.242.80.9
Jan 21, 2022 08:26:57.665992022 CET	49014	2323	192.168.2.23	87.236.91.17
Jan 21, 2022 08:26:57.665994883 CET	49014	23	192.168.2.23	192.67.19.59
Jan 21, 2022 08:26:57.665999889 CET	49014	23	192.168.2.23	130.169.128.7
Jan 21, 2022 08:26:57.666001081 CET	49014	23	192.168.2.23	200.90.143.78

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 21, 2022 08:26:57.663700104 CET	192.168.2.23	8.8.8.8	0xbae5	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 21, 2022 08:26:57.679620981 CET	8.8.8.8	192.168.2.23	0xbae5	No error (0)	arcticboatz.cz		95.181.161.40	A (IP address)	IN (0x0001)

System Behavior

Analysis Process: x86 PID: 5222, Parent PID: 5117

General

Start time:	08:26:56
Start date:	21/01/2022
Path:	/tmp/x86
Arguments:	/tmp/x86
File size:	74656 bytes
MD5 hash:	1780fa4bcc6aa107d0bbbc7bf00dfd0a

Analysis Process: x86 PID: 5223, Parent PID: 5222

General

Start time:	08:26:56
Start date:	21/01/2022
Path:	/tmp/x86
Arguments:	n/a
File size:	74656 bytes
MD5 hash:	1780fa4bcc6aa107d0bbbc7bf00dfd0a

Analysis Process: sh PID: 5223, Parent PID: 5222

General

Start time:	08:26:56
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	sh -c "rm -rf bin/systemd && mkdir bin; >bin/systemd && mv /tmp/x86 bin/systemd; chmod 777 bin/systemd"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 5224, Parent PID: 5223

General

Start time:	08:26:56
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: rm PID: 5224, Parent PID: 5223

General

Start time:	08:26:56
Start date:	21/01/2022
Path:	/usr/bin/rm
Arguments:	rm -rf bin/systemd
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Analysis Process: sh PID: 5225, Parent PID: 5223

General

Start time:	08:26:56
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: mkdir PID: 5225, Parent PID: 5223

General

Start time:	08:26:56
Start date:	21/01/2022
Path:	/usr/bin/mkdir
Arguments:	mkdir bin
File size:	88408 bytes
MD5 hash:	088c9d1df5a28ed16c726eca15964cb7

Analysis Process: sh PID: 5226, Parent PID: 5223

General

Start time:	08:26:56
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: mv PID: 5226, Parent PID: 5223

General

Start time:	08:26:56
Start date:	21/01/2022
Path:	/usr/bin/mv
Arguments:	mv /tmp/x86 bin/systemd
File size:	149888 bytes
MD5 hash:	504f0590fa482d4da070a702260e3716

Analysis Process: sh PID: 5227, Parent PID: 5223

General

Start time:	08:26:56
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: chmod PID: 5227, Parent PID: 5223

General

Start time:	08:26:56
Start date:	21/01/2022
Path:	/usr/bin/chmod
Arguments:	chmod 777 bin/systemd
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Analysis Process: x86 PID: 5228, Parent PID: 5222

General

Start time:	08:26:56
Start date:	21/01/2022
Path:	/tmp/x86
Arguments:	n/a
File size:	74656 bytes
MD5 hash:	1780fa4bcc6aa107d0bbbc7bf00dfd0a

Analysis Process: x86 PID: 5229, Parent PID: 5228

General

Start time:	08:26:56
Start date:	21/01/2022
Path:	/tmp/x86
Arguments:	n/a
File size:	74656 bytes
MD5 hash:	1780fa4bcc6aa107d0bbbc7bf00dfd0a

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report x86

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Runtime Messages

Process Tree

Yara Overview

Initial Sample

Memory Dumps

Jbx Signature Overview

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: x86 PID: 5222, Parent PID: 5117

General

Analysis Process: x86 PID: 5223, Parent PID: 5222

General

Analysis Process: sh PID: 5223, Parent PID: 5222

General

Analysis Process: sh PID: 5224, Parent PID: 5223

General

Analysis Process: rm PID: 5224, Parent PID: 5223

General

Analysis Process: sh PID: 5225, Parent PID: 5223

General

Analysis Process: mkdir PID: 5225, Parent PID: 5223

General

Analysis Process: sh PID: 5226, Parent PID: 5223

General

Analysis Process: mv PID: 5226, Parent PID: 5223

General

Analysis Process: sh PID: 5227, Parent PID: 5223

General

Analysis Process: chmod PID: 5227, Parent PID: 5223

Linux Analysis Report
x86