Edit tour

Linux Analysis Report
arm5

Overview

General Information

Sample Name:	arm5
Analysis ID:	557499
MD5:	b2499605d6cb98e1d428956ca720f9f3
SHA1:	25c3039bf8fdb8814b1f61fb25c3fe299556e0e1
SHA256:	7b876157fd5cc9e7ca92a6d9702911160a96b4fa400befd40bd1307bbb06e656
Tags:	Mirai
Infos:

Detection

Mirai Moobot

Score:	100
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Mirai

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Moobot

Sets full permissions to files and/or directories

Yara signature match

Executes the "mkdir" command used to create folders

Uses the "uname" system call to query kernel version information (possible evasion)

Executes the "chmod" command used to modify permissions

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Sample has stripped symbol table

Sample tries to set the executable flag

Executes commands using a shell command-line interpreter

Executes the "rm" command used to delete files or directories

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Classification

Analysis Advice

All HTTP servers contacted by the sample do not answer. Likely the sample is an old dropper which does no longer work

Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures

Static ELF header machine description suggests that the sample might not execute correctly on this machine

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	557499
Start date:	21.01.2022
Start time:	08:30:06
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 57s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	arm5
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal100.troj.lin@0/0@1/0

Warnings

Report size exceeded maximum capacity and may have missing network information.
TCP Packets have been reduced to 100

Runtime Messages

Command:	/tmp/arm5
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	qazwsxedc
Standard Error:

Process Tree

system is lnxubuntu20

arm5 (PID: 5223, Parent: 5117, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/arm5

arm5 New Fork (PID: 5225, Parent: 5223)

sh (PID: 5225, Parent: 5223, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf bin/systemd && mkdir bin; >bin/systemd && mv /tmp/arm5 bin/systemd; chmod 777 bin/systemd"

sh New Fork (PID: 5227, Parent: 5225)

rm (PID: 5227, Parent: 5225, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf bin/systemd

sh New Fork (PID: 5228, Parent: 5225)

mkdir (PID: 5228, Parent: 5225, MD5: 088c9d1df5a28ed16c726eca15964cb7) Arguments: mkdir bin

sh New Fork (PID: 5229, Parent: 5225)

mv (PID: 5229, Parent: 5225, MD5: 504f0590fa482d4da070a702260e3716) Arguments: mv /tmp/arm5 bin/systemd

sh New Fork (PID: 5230, Parent: 5225)

chmod (PID: 5230, Parent: 5225, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod 777 bin/systemd

arm5 New Fork (PID: 5231, Parent: 5223)

arm5 New Fork (PID: 5233, Parent: 5231)

cleanup

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
arm5	Mirai_Botnet_Malware	Detects Mirai Botnet Malware	Florian Roth	0x11fb0:$x1: POST /cdn-cgi/ 0x11530:$x3: /dev/watchdog 0x1167c:$s1: LCOGQGPTGP
arm5	MAL_ELF_LNX_Mirai_Oct10_2	Detects ELF malware Mirai related	Florian Roth	0x11fb0:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
arm5	JoeSecurity_Moobot	Yara detected Moobot	Joe Security
arm5	JoeSecurity_Mirai_5	Yara detected Mirai	Joe Security
arm5	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
5223.1.00000000bdb73fa0.0000000011aa4bfb.r-x.sdmp	Mirai_Botnet_Malware	Detects Mirai Botnet Malware	Florian Roth	0x11fb0:$x1: POST /cdn-cgi/ 0x11530:$x3: /dev/watchdog 0x1167c:$s1: LCOGQGPTGP
5223.1.00000000bdb73fa0.0000000011aa4bfb.r-x.sdmp	MAL_ELF_LNX_Mirai_Oct10_2	Detects ELF malware Mirai related	Florian Roth	0x11fb0:$c01: 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A
5223.1.00000000bdb73fa0.0000000011aa4bfb.r-x.sdmp	JoeSecurity_Moobot	Yara detected Moobot	Joe Security
5223.1.00000000bdb73fa0.0000000011aa4bfb.r-x.sdmp	JoeSecurity_Mirai_5	Yara detected Mirai	Joe Security
5223.1.00000000bdb73fa0.0000000011aa4bfb.r-x.sdmp	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
Process Memory Space: arm5 PID: 5223	JoeSecurity_Moobot	Yara detected Moobot	Joe Security
Click to see the 1 entries

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: arm5

Avira: detected

Multi AV Scanner detection for submitted file

Source: arm5	Virustotal: Detection: 37%			Perma Link
Source: arm5	ReversingLabs: Detection: 51%

Networking

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2030489 ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response 95.181.161.40:55005 -> 192.168.2.23:47080
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 101.206.74.223:23 -> 192.168.2.23:58864
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 101.206.74.223:23 -> 192.168.2.23:58864
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 101.206.74.223:23 -> 192.168.2.23:58870
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 101.206.74.223:23 -> 192.168.2.23:58870
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 223.10.240.16:23 -> 192.168.2.23:43370
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 101.206.74.223:23 -> 192.168.2.23:58876
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 101.206.74.223:23 -> 192.168.2.23:58876
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:50030 -> 210.82.109.1:23
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:58916 -> 101.206.74.223:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 101.206.74.223:23 -> 192.168.2.23:58916
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 101.206.74.223:23 -> 192.168.2.23:58916
Source: Traffic	Snort IDS: 716 INFO TELNET access 113.206.180.206:23 -> 192.168.2.23:52206
Source: Traffic	Snort IDS: 716 INFO TELNET access 138.204.196.238:23 -> 192.168.2.23:40668
Source: Traffic	Snort IDS: 716 INFO TELNET access 113.206.180.206:23 -> 192.168.2.23:52214
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 101.206.74.223:23 -> 192.168.2.23:58960
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 101.206.74.223:23 -> 192.168.2.23:58960
Source: Traffic	Snort IDS: 716 INFO TELNET access 113.206.180.206:23 -> 192.168.2.23:52218
Source: Traffic	Snort IDS: 716 INFO TELNET access 113.206.180.206:23 -> 192.168.2.23:52220
Source: Traffic	Snort IDS: 716 INFO TELNET access 138.204.196.238:23 -> 192.168.2.23:40678
Source: Traffic	Snort IDS: 716 INFO TELNET access 113.206.180.206:23 -> 192.168.2.23:52224

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: global traffic	TCP traffic: 192.168.2.23:47080 -> 95.181.161.40:55005
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 116.13.223.9:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 216.32.170.209:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 102.252.173.146:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 170.97.83.30:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 1.113.242.56:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 1.186.251.219:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 219.115.200.20:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 14.170.146.97:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 66.251.108.248:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 143.203.171.4:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 180.68.140.143:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 86.155.226.20:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 107.121.209.89:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 129.59.148.129:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 116.184.248.112:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 132.223.165.124:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 166.1.6.0:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 80.193.113.75:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 212.121.72.66:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 195.254.163.111:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 199.54.189.90:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 208.222.202.190:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 210.219.122.132:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 32.62.150.73:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 19.126.220.156:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 144.35.75.142:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 47.132.215.215:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 113.115.183.201:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 85.64.244.228:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 41.138.151.38:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 169.168.6.173:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 152.93.91.136:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 36.6.201.0:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 149.39.133.93:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 195.190.144.111:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 217.43.142.181:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 5.34.219.173:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 14.18.216.228:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 108.148.70.99:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 99.178.194.36:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 47.58.113.89:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 176.226.206.69:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 14.234.178.81:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 60.79.33.10:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 53.120.42.131:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 153.53.17.190:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 42.190.90.62:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 108.231.243.127:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 69.243.198.244:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 145.65.42.240:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 32.211.225.110:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 45.226.178.104:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 164.192.200.227:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 27.69.153.66:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 45.66.247.153:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 102.234.247.165:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 197.40.106.198:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 164.57.92.6:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 212.175.218.12:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 198.44.23.165:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 164.78.201.40:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 105.55.141.173:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 54.224.137.175:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 73.207.56.23:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 76.122.105.118:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 148.139.108.221:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 154.93.91.125:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 41.135.205.211:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 35.255.62.33:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 134.88.50.12:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 223.222.226.4:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 8.77.50.154:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 182.248.131.153:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 27.19.22.230:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 169.167.119.65:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 167.134.242.90:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 208.15.160.111:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 117.21.30.147:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 133.84.5.46:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 222.60.86.185:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 74.9.203.255:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 142.19.100.52:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 86.213.124.65:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 71.7.144.97:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 126.180.17.93:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 207.56.137.55:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 45.101.66.234:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 170.70.81.160:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 142.110.84.77:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 193.19.137.184:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 68.152.84.185:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 45.176.139.110:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 109.253.29.250:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 86.231.247.122:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 151.44.71.125:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 163.222.184.237:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 209.102.155.118:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 126.92.255.75:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 119.233.154.47:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 196.230.35.221:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 53.99.246.197:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 93.241.210.42:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 121.209.6.63:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 149.254.26.250:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 203.92.179.89:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 203.105.131.118:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 84.178.150.194:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 88.146.182.1:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 222.54.250.131:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 141.126.150.134:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 148.215.238.185:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 204.50.48.47:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 149.64.95.51:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 149.204.221.90:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 118.164.94.154:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 49.39.127.253:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 200.73.20.83:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 84.152.69.93:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 136.177.143.111:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 140.207.122.117:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 113.79.183.238:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 44.28.57.165:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 208.127.67.124:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 1.20.60.236:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 106.92.109.108:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 115.113.224.102:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 196.117.161.187:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 52.124.239.194:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 136.113.189.207:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 52.201.117.88:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 70.94.15.165:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 140.6.107.126:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 100.4.136.246:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 220.65.182.141:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 140.90.215.40:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 46.235.234.122:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 70.227.148.153:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 200.10.139.232:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 107.219.238.103:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 111.79.44.129:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 133.214.205.38:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 19.213.166.67:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 76.70.170.126:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 34.74.123.73:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 98.115.82.147:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 96.30.231.146:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 170.0.182.135:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 27.65.50.197:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 178.150.75.255:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 112.224.181.254:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 17.230.134.209:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 119.40.37.159:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 5.134.143.106:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 101.104.43.113:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 42.104.205.170:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 83.55.200.84:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 74.212.182.222:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 112.205.184.45:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 194.98.236.76:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 213.122.99.80:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 209.12.245.73:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 130.219.159.9:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 160.140.207.223:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 84.217.6.179:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 156.225.152.70:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 59.59.217.145:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 185.76.158.23:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 137.19.124.44:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 181.215.77.113:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 35.235.198.148:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 115.27.171.187:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 159.226.176.34:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 146.78.103.9:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 159.133.213.210:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 99.171.224.172:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 199.38.37.98:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 201.99.96.49:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 27.90.92.136:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 62.253.166.170:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 100.250.96.14:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 118.197.114.95:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 59.128.105.48:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 201.253.129.137:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 128.140.130.73:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 212.218.252.202:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 220.112.167.188:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 25.220.210.130:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 116.52.218.227:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 150.90.16.204:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 5.121.227.245:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 68.3.21.74:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 76.169.161.187:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 218.241.128.8:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 184.214.176.62:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 206.63.228.121:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 217.127.204.243:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 207.95.92.68:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 190.111.106.48:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 34.152.169.136:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 141.125.81.51:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 211.173.133.95:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 1.151.56.78:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 57.247.111.210:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 4.232.129.227:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 2.193.248.20:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 32.218.162.171:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 39.64.236.234:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 145.31.136.182:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 39.210.230.93:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 18.29.42.129:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 114.229.232.39:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 70.90.46.126:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 121.207.2.117:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 171.217.147.217:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 64.182.115.187:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 83.188.29.217:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 8.112.176.156:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 104.46.171.241:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 135.146.163.69:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 8.213.115.14:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 27.145.21.124:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 52.240.167.12:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 102.63.37.44:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 157.142.146.43:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 32.129.134.36:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 78.75.110.53:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 166.12.161.14:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 70.61.107.240:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 217.88.112.115:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 61.55.34.179:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 176.215.141.11:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 114.126.116.50:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 114.87.109.23:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 35.22.169.215:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 36.33.149.157:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 169.143.192.44:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 37.121.82.10:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 68.195.204.198:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 136.227.183.121:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 206.84.168.137:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 123.85.49.175:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 31.132.72.152:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 167.194.67.234:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 213.158.145.195:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 69.83.145.2:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 68.65.191.43:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 206.251.150.213:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 122.61.54.75:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 175.187.100.228:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 178.122.26.168:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 5.186.0.122:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 151.1.98.165:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 47.65.116.82:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 156.234.215.29:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 212.32.13.116:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 174.65.133.3:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 184.197.31.46:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 168.217.247.78:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 59.174.254.158:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 212.167.39.8:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 174.18.200.125:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 77.119.50.79:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 52.65.65.230:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 197.242.210.152:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 64.47.123.149:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 128.204.39.139:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 128.125.124.139:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 164.121.91.136:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 65.155.97.246:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 95.27.130.236:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 40.215.189.13:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 111.239.88.141:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 71.94.208.57:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 102.44.13.81:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 36.119.76.18:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 199.67.117.151:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 149.49.66.193:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 174.52.247.221:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 38.0.146.122:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 174.38.20.3:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 92.19.28.93:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 45.50.4.97:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 131.222.245.176:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 102.154.12.70:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 53.173.13.131:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 167.205.222.60:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 141.211.209.5:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 144.248.184.56:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 217.246.68.133:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 200.221.108.159:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 51.231.40.105:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 193.87.160.140:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 136.154.188.190:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 131.164.52.212:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 93.251.2.187:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 205.126.224.195:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 67.6.253.23:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 89.70.114.170:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 210.93.222.32:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 128.64.1.116:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 173.116.216.155:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 150.193.104.236:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 193.211.237.27:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 122.28.243.218:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 185.245.165.79:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 104.224.246.141:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 195.140.187.148:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 164.215.84.250:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 133.188.188.168:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 140.158.88.239:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 222.54.110.250:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 107.131.44.50:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 40.151.204.102:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 142.53.163.182:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 47.32.101.37:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 169.25.22.141:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 4.226.94.67:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 88.175.44.122:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 196.63.13.195:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 156.219.23.213:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 44.24.19.125:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 106.52.188.86:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 103.232.226.219:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 138.176.198.102:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 168.211.193.222:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 196.200.252.215:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 44.153.146.209:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 166.136.19.55:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 219.190.155.31:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 48.213.167.189:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 60.38.169.122:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 109.75.27.165:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 27.171.177.77:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 219.89.31.148:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 76.45.188.196:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 201.177.214.110:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 171.152.18.191:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 44.27.245.171:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 67.228.184.224:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 13.173.244.40:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 94.1.228.43:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 68.94.125.0:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 165.24.84.26:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 43.70.254.172:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 220.27.75.231:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 159.36.177.99:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 185.96.196.76:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 132.121.254.147:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 181.64.20.195:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 219.237.118.133:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 120.246.51.82:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 4.37.88.217:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 48.103.79.79:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 106.235.181.115:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 121.55.120.167:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 210.254.199.75:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 75.238.193.46:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 90.79.16.52:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 206.135.103.19:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 27.238.88.139:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 39.42.224.206:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 154.50.167.173:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 221.211.218.159:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 221.140.191.110:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 179.211.5.167:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 52.114.17.222:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 174.71.51.64:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 181.212.252.227:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 148.3.176.247:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 103.56.161.39:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 178.156.9.181:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 57.160.103.212:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 81.177.165.252:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 189.32.152.7:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 182.165.135.215:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 80.202.51.127:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 71.239.58.127:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 70.49.36.102:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 44.70.188.115:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 199.108.203.20:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 85.42.68.143:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 81.121.93.253:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 197.124.253.140:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 73.187.109.207:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 96.158.117.10:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 50.125.184.32:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 62.2.70.32:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 101.223.216.67:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 86.146.82.98:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 196.36.29.84:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 5.101.38.200:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 139.140.25.201:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 45.242.45.22:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 165.13.248.120:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 118.211.160.64:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 27.118.188.230:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 74.23.100.185:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 175.21.94.48:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 208.63.166.126:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 90.104.54.72:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 4.247.138.67:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 118.154.228.158:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 184.101.246.14:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 57.243.15.219:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 44.12.75.83:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 84.158.14.223:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 178.130.194.108:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 86.120.205.10:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 34.92.175.94:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 75.230.235.65:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 205.183.89.25:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 39.9.113.152:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 137.177.210.145:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 61.175.234.136:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 119.117.62.190:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 59.213.204.99:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 153.24.8.194:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 101.74.50.154:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 166.164.76.220:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 111.228.233.151:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 135.49.84.213:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 209.28.99.19:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 54.38.166.205:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 83.226.226.195:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 112.9.53.175:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 178.242.200.249:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 57.210.31.162:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 72.174.19.139:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 186.56.47.248:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 194.117.18.110:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 222.6.183.25:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 187.23.157.49:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 143.130.149.29:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 175.93.64.148:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 216.146.184.130:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 132.190.162.112:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 175.111.14.142:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 162.83.69.52:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 124.206.156.21:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 17.105.170.126:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 41.202.46.111:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 97.15.15.76:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 158.198.47.87:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 47.214.32.169:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 73.132.121.80:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 66.129.127.59:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 32.32.103.81:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 185.149.222.118:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 38.122.219.0:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 19.43.28.174:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 48.41.136.185:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 36.160.157.223:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 79.91.141.137:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 139.196.12.167:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 197.201.119.21:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 160.247.185.96:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 184.197.137.196:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 74.0.231.105:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 123.228.42.253:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 186.150.137.2:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 202.15.24.233:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 128.202.59.233:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 167.31.60.86:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 43.116.225.235:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 45.26.140.255:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 54.56.212.95:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 167.30.244.234:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 54.85.218.140:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 103.28.40.160:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 201.188.159.19:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 88.64.209.254:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 168.8.117.132:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 166.10.33.52:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 102.182.12.7:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 34.109.71.241:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 85.229.229.55:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 90.212.30.150:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 91.168.245.0:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 84.11.210.35:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 4.197.45.61:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 176.92.20.117:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 132.178.58.164:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 76.68.45.99:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 174.254.125.183:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 131.108.149.188:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 183.54.247.212:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 18.57.124.63:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 43.87.245.170:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 126.194.253.165:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 188.58.121.97:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 82.251.222.130:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 194.212.181.158:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 38.37.209.17:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 114.10.199.210:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 131.157.123.208:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 113.109.44.64:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 117.144.67.118:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 75.15.212.213:2323
Source: global traffic	TCP traffic: 192.168.2.23:35132 -> 125.169.99.109:2323

Source: /tmp/arm5 (PID: 5223)

Socket: 127.0.0.1::1124

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 116.13.223.9
Source: unknown	TCP traffic detected without corresponding DNS query: 31.158.237.9
Source: unknown	TCP traffic detected without corresponding DNS query: 160.37.228.195
Source: unknown	TCP traffic detected without corresponding DNS query: 93.34.206.193
Source: unknown	TCP traffic detected without corresponding DNS query: 163.62.54.215
Source: unknown	TCP traffic detected without corresponding DNS query: 206.99.88.113
Source: unknown	TCP traffic detected without corresponding DNS query: 48.247.86.14
Source: unknown	TCP traffic detected without corresponding DNS query: 36.88.157.152
Source: unknown	TCP traffic detected without corresponding DNS query: 94.216.159.204
Source: unknown	TCP traffic detected without corresponding DNS query: 31.238.164.136
Source: unknown	TCP traffic detected without corresponding DNS query: 216.32.170.209
Source: unknown	TCP traffic detected without corresponding DNS query: 41.152.68.215
Source: unknown	TCP traffic detected without corresponding DNS query: 180.228.252.195
Source: unknown	TCP traffic detected without corresponding DNS query: 218.94.163.52
Source: unknown	TCP traffic detected without corresponding DNS query: 136.33.79.92
Source: unknown	TCP traffic detected without corresponding DNS query: 60.7.26.90
Source: unknown	TCP traffic detected without corresponding DNS query: 109.222.146.115
Source: unknown	TCP traffic detected without corresponding DNS query: 102.252.173.146
Source: unknown	TCP traffic detected without corresponding DNS query: 136.45.205.145
Source: unknown	TCP traffic detected without corresponding DNS query: 132.37.144.32
Source: unknown	TCP traffic detected without corresponding DNS query: 95.237.81.148
Source: unknown	TCP traffic detected without corresponding DNS query: 4.96.14.150
Source: unknown	TCP traffic detected without corresponding DNS query: 65.184.226.224
Source: unknown	TCP traffic detected without corresponding DNS query: 75.159.138.1
Source: unknown	TCP traffic detected without corresponding DNS query: 216.219.166.14
Source: unknown	TCP traffic detected without corresponding DNS query: 60.229.79.224
Source: unknown	TCP traffic detected without corresponding DNS query: 170.97.83.30
Source: unknown	TCP traffic detected without corresponding DNS query: 31.181.27.129
Source: unknown	TCP traffic detected without corresponding DNS query: 107.138.67.115
Source: unknown	TCP traffic detected without corresponding DNS query: 137.164.117.104
Source: unknown	TCP traffic detected without corresponding DNS query: 54.78.167.31
Source: unknown	TCP traffic detected without corresponding DNS query: 79.39.177.20
Source: unknown	TCP traffic detected without corresponding DNS query: 96.214.252.89
Source: unknown	TCP traffic detected without corresponding DNS query: 102.28.215.216
Source: unknown	TCP traffic detected without corresponding DNS query: 101.8.70.205
Source: unknown	TCP traffic detected without corresponding DNS query: 82.124.96.164
Source: unknown	TCP traffic detected without corresponding DNS query: 182.15.62.214
Source: unknown	TCP traffic detected without corresponding DNS query: 220.233.70.86
Source: unknown	TCP traffic detected without corresponding DNS query: 134.194.13.103
Source: unknown	TCP traffic detected without corresponding DNS query: 23.170.168.206
Source: unknown	TCP traffic detected without corresponding DNS query: 65.167.105.201
Source: unknown	TCP traffic detected without corresponding DNS query: 160.168.173.167
Source: unknown	TCP traffic detected without corresponding DNS query: 219.229.0.84
Source: unknown	TCP traffic detected without corresponding DNS query: 60.12.88.80
Source: unknown	TCP traffic detected without corresponding DNS query: 47.131.12.57
Source: unknown	TCP traffic detected without corresponding DNS query: 59.226.55.173
Source: unknown	TCP traffic detected without corresponding DNS query: 130.177.176.73
Source: unknown	TCP traffic detected without corresponding DNS query: 144.182.85.165
Source: unknown	TCP traffic detected without corresponding DNS query: 142.197.143.149
Source: unknown	TCP traffic detected without corresponding DNS query: 79.146.248.247

Source: unknown

DNS traffic detected: queries for: arcticboatz.cz

System Summary

Malicious sample detected (through community Yara rule)

Source: arm5, type: SAMPLE	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: arm5, type: SAMPLE	Matched rule: Detects ELF malware Mirai related Author: Florian Roth
Source: 5223.1.00000000bdb73fa0.0000000011aa4bfb.r-x.sdmp, type: MEMORY	Matched rule: Detects Mirai Botnet Malware Author: Florian Roth
Source: 5223.1.00000000bdb73fa0.0000000011aa4bfb.r-x.sdmp, type: MEMORY	Matched rule: Detects ELF malware Mirai related Author: Florian Roth

Source: arm5, type: SAMPLE	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: arm5, type: SAMPLE	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research
Source: 5223.1.00000000bdb73fa0.0000000011aa4bfb.r-x.sdmp, type: MEMORY	Matched rule: Mirai_Botnet_Malware date = 2016-10-04, hash5 = 420bf9215dfb04e5008c5e522eee9946599e2b323b17f17919cd802ebb012175, hash4 = 2efa09c124f277be2199bee58f49fc0ce6c64c0bef30079dfb3d94a6de492a69, hash3 = 20683ff7a5fec1237fc09224af40be029b9548c62c693844624089af568c89d4, hash2 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, hash1 = 05c78c3052b390435e53a87e3d31e9fb17f7c76bb4df2814313bca24735ce81c, author = Florian Roth, description = Detects Mirai Botnet Malware, hash10 = c61bf95146c68bfbbe01d7695337ed0e93ea759f59f651799f07eecdb339f83f, hash11 = d9573c3850e2ae35f371dff977fc3e5282a5e67db8e3274fd7818e8273fd5c89, hash12 = f1100c84abff05e0501e77781160d9815628e7fd2de9e53f5454dbcac7c84ca5, hash9 = bf0471b37dba7939524a30d7d5afc8fcfb8d4a7c9954343196737e72ea4e2dc4, hash8 = 89570ae59462e6472b6769545a999bde8457e47ae0d385caaa3499ab735b8147, hash7 = 70bb0ec35dd9afcfd52ec4e1d920e7045dc51dca0573cd4c753987c9d79405c0, hash6 = 62cdc8b7fffbaf5683a466f6503c03e68a15413a90f6afd5a13ba027631460c6, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash13 = fb713ccf839362bf0fbe01aedd6796f4d74521b133011b408e42c1fd9ab8246b
Source: 5223.1.00000000bdb73fa0.0000000011aa4bfb.r-x.sdmp, type: MEMORY	Matched rule: MAL_ELF_LNX_Mirai_Oct10_2 date = 2018-10-27, hash1 = fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9, author = Florian Roth, description = Detects ELF malware Mirai related, reference = Internal Research

Source: ELF static info symbol of initial sample

.symtab present: no

Source: Initial sample	String containing 'busybox' found: bin/busybox
Source: Initial sample	String containing 'busybox' found: /bin/busybox
Source: Initial sample	String containing 'busybox' found: f%s:%dwebservarm7x86_64ppcm68kbin/busyboxbin/watchdogbin/systemd/bin/busybox/bin/watchdog/bin/systemd$

Source: classification engine

Classification label: mal100.troj.lin@0/0@1/0

Persistence and Installation Behavior

Sets full permissions to files and/or directories

Source: /bin/sh (PID: 5230)

Chmod executable with 777: /usr/bin/chmod -> chmod 777 bin/systemd

Source: /bin/sh (PID: 5228)

Mkdir executable: /usr/bin/mkdir -> mkdir bin

Source: /bin/sh (PID: 5230)

Chmod executable: /usr/bin/chmod -> chmod 777 bin/systemd

Source: /usr/bin/chmod (PID: 5230)

File: /tmp/bin/systemd (bits: - usr: rwx grp: rwx all: rwx)

Jump to behavior

Source: /tmp/arm5 (PID: 5225)

Shell command executed: sh -c "rm -rf bin/systemd && mkdir bin; >bin/systemd && mv /tmp/arm5 bin/systemd; chmod 777 bin/systemd"

Source: /bin/sh (PID: 5227)

Rm executable: /usr/bin/rm -> rm -rf bin/systemd

Source: /tmp/arm5 (PID: 5223)

Queries kernel information via 'uname':

Source: arm5, 5223.1.0000000068877452.00000000a28575cb.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: arm5, 5223.1.00000000d7e86144.0000000075f40b0b.rw-.sdmp	Binary or memory string: )x86_64/usr/bin/qemu-arm/tmp/arm5SUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/arm5
Source: arm5, 5223.1.0000000068877452.00000000a28575cb.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: arm5, 5223.1.00000000d7e86144.0000000075f40b0b.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: arm5, type: SAMPLE
Source: Yara match	File source: 5223.1.00000000bdb73fa0.0000000011aa4bfb.r-x.sdmp, type: MEMORY

Yara detected Moobot

Source: Yara match	File source: arm5, type: SAMPLE
Source: Yara match	File source: 5223.1.00000000bdb73fa0.0000000011aa4bfb.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: arm5 PID: 5223, type: MEMORYSTR

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: arm5, type: SAMPLE
Source: Yara match	File source: 5223.1.00000000bdb73fa0.0000000011aa4bfb.r-x.sdmp, type: MEMORY

Yara detected Moobot

Source: Yara match	File source: arm5, type: SAMPLE
Source: Yara match	File source: 5223.1.00000000bdb73fa0.0000000011aa4bfb.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: arm5 PID: 5223, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scripting	Path Interception	Path Interception	2 File and Directory Permissions Modification	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Scripting	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 File Deletion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
arm5	38%	Virustotal		Browse
arm5	51%	ReversingLabs	Linux.Trojan.Mirai
arm5	100%	Avira	LINUX/Mirai.bonb

Dropped Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
arcticboatz.cz	4%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
arcticboatz.cz	95.181.161.40	true	true	4%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
210.101.243.135	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
200.101.154.113	unknown	Brazil	8167	BrasilTelecomSA-FilialDistritoFederalBR	false
159.177.201.81	unknown	Canada	34058	LIFECELL-ASUA	false
197.104.90.78	unknown	South Africa	37168	CELL-CZA	false
210.134.201.242	unknown	Japan	9354	TDNCCommunityNetworkCenterIncJP	false
66.9.20.36	unknown	United States	18885	M2NGAGE2US	false
104.59.161.94	unknown	United States	7018	ATT-INTERNET4US	false
67.59.196.74	unknown	United States	22667	VISTAUS	false
168.55.13.206	unknown	United States	1761	TDIR-CAPNETUS	false
159.73.193.217	unknown	Australia	1257	TELE2EU	false
139.61.36.211	unknown	United States	14618	AMAZON-AESUS	false
115.114.255.34	unknown	India	4755	TATACOMM-ASTATACommunicationsformerlyVSNLisLeadingISP	false
24.104.235.255	unknown	United States	12271	TWC-12271-NYCUS	false
72.200.216.59	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	false
140.89.4.184	unknown	United States	33651	CMCSUS	false
5.38.244.52	unknown	Hungary	5483	MAGYAR-TELEKOM-MAIN-ASMagyarTelekomNyrtHU	false
57.221.183.135	unknown	Belgium	2686	ATGS-MMD-ASUS	false
212.251.163.97	unknown	Norway	2119	TELENOR-NEXTELTelenorNorgeASNO	false
213.16.169.31	unknown	Greece	1241	FORTHNET-GRForthnetEU	false
97.14.248.254	unknown	United States	22394	CELLCOUS	false
14.180.194.14	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
189.55.193.122	unknown	Brazil	28573	CLAROSABR	false
159.238.37.165	unknown	United States	14977	STATE-OF-WYOMING-ASNUS	false
12.139.76.104	unknown	United States	7018	ATT-INTERNET4US	false
221.17.67.232	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
137.169.117.219	unknown	United States	14981	KIRKLAND-ELLISUS	false
205.155.0.199	unknown	United States	14212	SANTA-CRUZ-EDNETUS	false
86.145.148.173	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	false
89.212.1.130	unknown	Slovenia	34779	T-2-ASASsetpropagatedbyT-2dooSI	false
177.239.180.14	unknown	Mexico	28554	CablemasTelecomunicacionesSAdeCVMX	false
73.34.174.52	unknown	United States	7922	COMCAST-7922US	false
98.232.158.193	unknown	United States	7922	COMCAST-7922US	false
111.146.246.17	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
143.26.165.222	unknown	United States	264008	LANCAMANTOANISERVICOSDEINFORMATICALTDA-MEBR	false
201.193.22.123	unknown	Costa Rica	11830	InstitutoCostarricensedeElectricidadyTelecomCR	false
67.156.64.89	unknown	United States	1226	CTA-42-AS1226US	false
65.198.123.22	unknown	United States	701	UUNETUS	false
105.31.246.182	unknown	Mauritius	37100	SEACOM-ASMU	false
32.87.115.107	unknown	United States	2686	ATGS-MMD-ASUS	false
4.115.139.55	unknown	United States	3356	LEVEL3US	false
219.20.46.100	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
73.3.202.148	unknown	United States	7922	COMCAST-7922US	false
137.244.51.233	unknown	United States	385	AFCONC-BLOCK1-ASUS	false
148.184.150.68	unknown	United States	3423	ATTIS-ASN3423US	false
164.55.31.11	unknown	United States	683	ARGONNE-ASUS	false
1.28.186.128	unknown	China	139007	UNICOM-NM-WULANCHABU-IDCUNICOMInnerMongoliaprovincenetwo	false
223.57.9.44	unknown	Korea Republic of	9644	SKTELECOM-NET-ASSKTelecomKR	false
137.32.136.109	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
185.11.56.21	unknown	Switzerland	12329	TMRDE	false
43.106.87.16	unknown	Japan	4249	LILLY-ASUS	false
208.8.135.179	unknown	United States	1239	SPRINTLINKUS	false
184.185.219.179	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	false
2.226.207.141	unknown	Italy	12874	FASTWEBIT	false
78.108.201.88	unknown	Russian Federation	31430	TEL-NET-ASRU	false
106.20.137.151	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
93.161.234.172	unknown	Denmark	3292	TDCTDCASDK	false
70.150.78.4	unknown	United States	6389	BELLSOUTH-NET-BLKUS	false
190.188.24.106	unknown	Argentina	10481	TelecomArgentinaSAAR	false
40.107.129.67	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
34.249.149.34	unknown	United States	16509	AMAZON-02US	false
167.44.101.157	unknown	Canada	2665	CDAGOVNCA	false
169.22.99.146	unknown	United States	37611	AfrihostZA	false
177.58.101.176	unknown	Brazil	22085	ClaroSABR	false
170.76.213.125	unknown	United States	23478	CHAS-HEALTHUS	false
104.79.226.223	unknown	United States	8551	BEZEQ-INTERNATIONAL-ASBezeqintInternetBackboneIL	false
46.32.32.175	unknown	Denmark	39642	DK-ESS-ASDK	false
130.178.130.128	unknown	United States	16509	AMAZON-02US	false
155.83.115.83	unknown	United States	4010	DNIC-AS-04010US	false
212.40.173.169	unknown	Germany	61157	PLUSSERVER-ASN1DE	false
180.29.63.127	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
187.245.214.253	unknown	Mexico	13999	MegaCableSAdeCVMX	false
72.249.104.46	unknown	United States	55045	TEKTONICUS	false
157.234.53.177	unknown	United States	7018	ATT-INTERNET4US	false
121.139.48.109	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
100.5.190.229	unknown	United States	701	UUNETUS	false
154.122.4.94	unknown	Kenya	12455	JAMBONETKE	false
78.107.25.80	unknown	Russian Federation	8402	CORBINA-ASOJSCVimpelcomRU	false
165.83.226.16	unknown	United States	22284	AS22284-DOI-OPSUS	false
37.223.218.103	unknown	Spain	12430	VODAFONE_ESES	false
125.218.31.185	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false
217.110.140.204	unknown	Germany	8220	COLTCOLTTechnologyServicesGroupLimitedGB	false
218.191.83.197	unknown	Hong Kong	9304	HUTCHISON-AS-APHGCGlobalCommunicationsLimitedHK	false
91.115.41.40	unknown	Austria	8447	TELEKOM-ATA1TelekomAustriaAGAT	false
136.84.160.156	unknown	United States	60311	ONEFMCH	false
44.246.216.249	unknown	United States	16509	AMAZON-02US	false
171.184.20.206	unknown	United States	9874	STARHUB-MOBILEStarHubLtdSG	false
146.35.15.155	unknown	United States	197938	TRAVIANGAMESDE	false
210.154.127.1	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
210.184.41.88	unknown	Hong Kong	4058	CITICTEL-CPC-AS4058CITICTelecomInternationalCPCLimited	false
93.166.171.73	unknown	Denmark	3292	TDCTDCASDK	false
103.56.222.51	unknown	India	36351	SOFTLAYERUS	false
181.92.48.204	unknown	Argentina	7303	TelecomArgentinaSAAR	false
170.38.152.104	unknown	Malaysia	139776	PETRONAS-BHD-AS-APPetroliamNasionalBerhadMY	false
134.116.162.78	unknown	United States	10455	LUCENT-CIOUS	false
57.250.134.147	unknown	Belgium	51964	ORANGE-BUSINESS-SERVICES-IPSN-ASNFR	false
76.40.116.134	unknown	United States	18494	CENTURYLINK-LEGACY-EMBARQ-WRBGUS	false
195.207.36.236	unknown	Belgium	5432	PROXIMUS-ISP-ASBE	false
87.186.232.66	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
101.76.125.54	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false
192.111.221.75	unknown	United States	46562	TOTAL-SERVER-SOLUTIONSUS	false

File type:	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
Entropy (8bit):	6.130950571252559
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	arm5
File size:	79440
MD5:	b2499605d6cb98e1d428956ca720f9f3
SHA1:	25c3039bf8fdb8814b1f61fb25c3fe299556e0e1
SHA256:	7b876157fd5cc9e7ca92a6d9702911160a96b4fa400befd40bd1307bbb06e656
SHA512:	ffff2c1124118a8a0598fbbc0b2e052765ba217c3bfea47c3a4c006e42bf6ef5e131adcda2e076b6a123f3c5b652fa36278308ee52d1bb50a9be60a19b646c06
SSDEEP:	1536:EG5ixEJIFOnozX7mgbivK/fl2uHQTnsVqbVb3G33x8vqIT0YwbZnZ:DJgzLmDvbuwTfRb3GOvxwbZnZ
File Content Preview:	.ELF...a..........(.........4....4......4. ...(......................1...1...............1...1...1..p....&..........Q.td..................................-...L."....D..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	ARM - ABI
ABI Version:	0
Entry Point Address:	0x8190
Flags:	0x2
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	79040
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x8094	0x94	0x18	0x0	0x6	AX	4
.text	PROGBITS	0x80b0	0xb0	0x11304	0x0	0x6	AX	16
.fini	PROGBITS	0x193b4	0x113b4	0x14	0x0	0x6	AX	4
.rodata	PROGBITS	0x193c8	0x113c8	0x1d44	0x0	0x2	A	4
.ctors	PROGBITS	0x23110	0x13110	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x23118	0x13118	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x23124	0x13124	0x35c	0x0	0x3	WA	4
.bss	NOBITS	0x23480	0x13480	0x237c	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0x13480	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8000	0x8000	0x1310c	0x1310c	3.4509	0x5	R E	0x8000	.init .text .fini .rodata
LOAD	0x13110	0x23110	0x23110	0x370	0x26ec	1.6671	0x6	RW	0x8000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 21, 2022 08:30:49.216882944 CET	47080	55005	192.168.2.23	95.181.161.40
Jan 21, 2022 08:30:49.217992067 CET	35132	2323	192.168.2.23	116.13.223.9
Jan 21, 2022 08:30:49.218019009 CET	35132	23	192.168.2.23	31.158.237.9
Jan 21, 2022 08:30:49.218060017 CET	35132	23	192.168.2.23	160.37.228.195
Jan 21, 2022 08:30:49.218075037 CET	35132	23	192.168.2.23	93.34.206.193
Jan 21, 2022 08:30:49.218077898 CET	35132	23	192.168.2.23	163.62.54.215
Jan 21, 2022 08:30:49.218081951 CET	35132	23	192.168.2.23	206.99.88.113
Jan 21, 2022 08:30:49.218095064 CET	35132	23	192.168.2.23	48.247.86.14
Jan 21, 2022 08:30:49.218108892 CET	35132	23	192.168.2.23	36.88.157.152
Jan 21, 2022 08:30:49.218113899 CET	35132	23	192.168.2.23	94.216.159.204
Jan 21, 2022 08:30:49.218117952 CET	35132	23	192.168.2.23	31.238.164.136
Jan 21, 2022 08:30:49.218125105 CET	35132	2323	192.168.2.23	216.32.170.209
Jan 21, 2022 08:30:49.218216896 CET	35132	23	192.168.2.23	41.152.68.215
Jan 21, 2022 08:30:49.218223095 CET	35132	23	192.168.2.23	180.228.252.195
Jan 21, 2022 08:30:49.218226910 CET	35132	23	192.168.2.23	130.38.210.93
Jan 21, 2022 08:30:49.218230009 CET	35132	23	192.168.2.23	218.94.163.52
Jan 21, 2022 08:30:49.218238115 CET	35132	23	192.168.2.23	136.33.79.92
Jan 21, 2022 08:30:49.218362093 CET	35132	23	192.168.2.23	60.7.26.90
Jan 21, 2022 08:30:49.218363047 CET	35132	23	192.168.2.23	109.222.146.115
Jan 21, 2022 08:30:49.218365908 CET	35132	2323	192.168.2.23	102.252.173.146
Jan 21, 2022 08:30:49.218369007 CET	35132	23	192.168.2.23	136.45.205.145
Jan 21, 2022 08:30:49.218374968 CET	35132	23	192.168.2.23	132.37.144.32
Jan 21, 2022 08:30:49.218378067 CET	35132	23	192.168.2.23	95.237.81.148
Jan 21, 2022 08:30:49.218379021 CET	35132	23	192.168.2.23	4.96.14.150
Jan 21, 2022 08:30:49.218379021 CET	35132	23	192.168.2.23	65.184.226.224
Jan 21, 2022 08:30:49.218380928 CET	35132	23	192.168.2.23	75.159.138.1
Jan 21, 2022 08:30:49.218385935 CET	35132	23	192.168.2.23	216.219.166.14
Jan 21, 2022 08:30:49.218389988 CET	35132	23	192.168.2.23	60.229.79.224
Jan 21, 2022 08:30:49.218391895 CET	35132	2323	192.168.2.23	170.97.83.30
Jan 21, 2022 08:30:49.218400002 CET	35132	23	192.168.2.23	31.181.27.129
Jan 21, 2022 08:30:49.218408108 CET	35132	23	192.168.2.23	107.138.67.115
Jan 21, 2022 08:30:49.218413115 CET	35132	23	192.168.2.23	25.226.10.233
Jan 21, 2022 08:30:49.218426943 CET	35132	23	192.168.2.23	137.164.117.104
Jan 21, 2022 08:30:49.218436956 CET	35132	23	192.168.2.23	54.78.167.31
Jan 21, 2022 08:30:49.218445063 CET	35132	23	192.168.2.23	79.39.177.20
Jan 21, 2022 08:30:49.218447924 CET	35132	23	192.168.2.23	96.214.252.89
Jan 21, 2022 08:30:49.218458891 CET	35132	23	192.168.2.23	102.28.215.216
Jan 21, 2022 08:30:49.218468904 CET	35132	23	192.168.2.23	101.8.70.205
Jan 21, 2022 08:30:49.218477964 CET	35132	23	192.168.2.23	82.124.96.164
Jan 21, 2022 08:30:49.218488932 CET	35132	23	192.168.2.23	182.15.62.214
Jan 21, 2022 08:30:49.218492985 CET	35132	23	192.168.2.23	68.10.120.41
Jan 21, 2022 08:30:49.218498945 CET	35132	23	192.168.2.23	220.233.70.86
Jan 21, 2022 08:30:49.218504906 CET	35132	23	192.168.2.23	134.194.13.103
Jan 21, 2022 08:30:49.218509912 CET	35132	23	192.168.2.23	23.170.168.206
Jan 21, 2022 08:30:49.218516111 CET	35132	23	192.168.2.23	65.167.105.201
Jan 21, 2022 08:30:49.218527079 CET	35132	23	192.168.2.23	160.168.173.167
Jan 21, 2022 08:30:49.218527079 CET	35132	23	192.168.2.23	219.229.0.84
Jan 21, 2022 08:30:49.218528032 CET	35132	23	192.168.2.23	60.12.88.80
Jan 21, 2022 08:30:49.218529940 CET	35132	23	192.168.2.23	47.131.12.57
Jan 21, 2022 08:30:49.218530893 CET	35132	23	192.168.2.23	59.226.55.173
Jan 21, 2022 08:30:49.218532085 CET	35132	23	192.168.2.23	130.177.176.73
Jan 21, 2022 08:30:49.218533039 CET	35132	23	192.168.2.23	144.182.85.165
Jan 21, 2022 08:30:49.218533039 CET	35132	23	192.168.2.23	142.197.143.149
Jan 21, 2022 08:30:49.218534946 CET	35132	23	192.168.2.23	79.146.248.247
Jan 21, 2022 08:30:49.218535900 CET	35132	23	192.168.2.23	203.18.243.24
Jan 21, 2022 08:30:49.218534946 CET	35132	23	192.168.2.23	148.103.11.130
Jan 21, 2022 08:30:49.218537092 CET	35132	23	192.168.2.23	48.9.109.114
Jan 21, 2022 08:30:49.218539000 CET	35132	23	192.168.2.23	39.21.207.88
Jan 21, 2022 08:30:49.218542099 CET	35132	23	192.168.2.23	165.20.118.200
Jan 21, 2022 08:30:49.218543053 CET	35132	2323	192.168.2.23	1.113.242.56
Jan 21, 2022 08:30:49.218544006 CET	35132	23	192.168.2.23	117.158.4.84
Jan 21, 2022 08:30:49.218545914 CET	35132	23	192.168.2.23	148.119.33.115
Jan 21, 2022 08:30:49.218549013 CET	35132	23	192.168.2.23	133.138.61.174
Jan 21, 2022 08:30:49.218554974 CET	35132	23	192.168.2.23	206.82.35.205
Jan 21, 2022 08:30:49.218563080 CET	35132	2323	192.168.2.23	1.186.251.219
Jan 21, 2022 08:30:49.218566895 CET	35132	23	192.168.2.23	137.231.18.155
Jan 21, 2022 08:30:49.218569994 CET	35132	2323	192.168.2.23	219.115.200.20
Jan 21, 2022 08:30:49.218574047 CET	35132	2323	192.168.2.23	14.170.146.97
Jan 21, 2022 08:30:49.218575954 CET	35132	23	192.168.2.23	147.228.126.236
Jan 21, 2022 08:30:49.218578100 CET	35132	23	192.168.2.23	219.152.174.244
Jan 21, 2022 08:30:49.218583107 CET	35132	23	192.168.2.23	210.88.129.255
Jan 21, 2022 08:30:49.218589067 CET	35132	23	192.168.2.23	148.117.11.233
Jan 21, 2022 08:30:49.218590021 CET	35132	23	192.168.2.23	87.215.197.138
Jan 21, 2022 08:30:49.218591928 CET	35132	23	192.168.2.23	8.2.250.15
Jan 21, 2022 08:30:49.218596935 CET	35132	23	192.168.2.23	82.226.112.79
Jan 21, 2022 08:30:49.218600988 CET	35132	23	192.168.2.23	80.126.137.136
Jan 21, 2022 08:30:49.218605042 CET	35132	23	192.168.2.23	68.217.3.120
Jan 21, 2022 08:30:49.218609095 CET	35132	2323	192.168.2.23	66.251.108.248
Jan 21, 2022 08:30:49.218616009 CET	35132	23	192.168.2.23	151.123.192.165
Jan 21, 2022 08:30:49.218621016 CET	35132	23	192.168.2.23	27.92.219.1
Jan 21, 2022 08:30:49.218625069 CET	35132	23	192.168.2.23	199.115.144.52
Jan 21, 2022 08:30:49.218627930 CET	35132	23	192.168.2.23	213.136.95.73
Jan 21, 2022 08:30:49.218631983 CET	35132	23	192.168.2.23	210.218.94.255
Jan 21, 2022 08:30:49.218633890 CET	35132	23	192.168.2.23	17.107.97.145
Jan 21, 2022 08:30:49.218641043 CET	35132	23	192.168.2.23	53.113.189.226
Jan 21, 2022 08:30:49.218642950 CET	35132	23	192.168.2.23	137.22.244.244
Jan 21, 2022 08:30:49.218646049 CET	35132	23	192.168.2.23	211.7.243.199
Jan 21, 2022 08:30:49.218650103 CET	35132	2323	192.168.2.23	143.203.171.4
Jan 21, 2022 08:30:49.218651056 CET	35132	23	192.168.2.23	104.66.199.91
Jan 21, 2022 08:30:49.218652964 CET	35132	23	192.168.2.23	73.199.117.136
Jan 21, 2022 08:30:49.218656063 CET	35132	23	192.168.2.23	188.18.250.1
Jan 21, 2022 08:30:49.218657017 CET	35132	23	192.168.2.23	202.185.173.155
Jan 21, 2022 08:30:49.218664885 CET	35132	23	192.168.2.23	51.234.48.206
Jan 21, 2022 08:30:49.218667984 CET	35132	23	192.168.2.23	5.71.55.239
Jan 21, 2022 08:30:49.218673944 CET	35132	23	192.168.2.23	91.89.129.173
Jan 21, 2022 08:30:49.218682051 CET	35132	23	192.168.2.23	216.175.86.151
Jan 21, 2022 08:30:49.218683958 CET	35132	23	192.168.2.23	5.161.127.124
Jan 21, 2022 08:30:49.218698025 CET	35132	23	192.168.2.23	140.205.241.68
Jan 21, 2022 08:30:49.218710899 CET	35132	23	192.168.2.23	219.10.182.152
Jan 21, 2022 08:30:49.218724966 CET	35132	23	192.168.2.23	188.189.61.226

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 21, 2022 08:30:49.197036982 CET	192.168.2.23	8.8.8.8	0xc1d5	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 21, 2022 08:30:49.215936899 CET	8.8.8.8	192.168.2.23	0xc1d5	No error (0)	arcticboatz.cz		95.181.161.40	A (IP address)	IN (0x0001)

System Behavior

Analysis Process: arm5 PID: 5223, Parent PID: 5117

General

Start time:	08:30:48
Start date:	21/01/2022
Path:	/tmp/arm5
Arguments:	/tmp/arm5
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: arm5 PID: 5225, Parent PID: 5223

General

Start time:	08:30:48
Start date:	21/01/2022
Path:	/tmp/arm5
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: sh PID: 5225, Parent PID: 5223

General

Start time:	08:30:48
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	sh -c "rm -rf bin/systemd && mkdir bin; >bin/systemd && mv /tmp/arm5 bin/systemd; chmod 777 bin/systemd"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 5227, Parent PID: 5225

General

Start time:	08:30:48
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: rm PID: 5227, Parent PID: 5225

General

Start time:	08:30:48
Start date:	21/01/2022
Path:	/usr/bin/rm
Arguments:	rm -rf bin/systemd
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Analysis Process: sh PID: 5228, Parent PID: 5225

General

Start time:	08:30:48
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: mkdir PID: 5228, Parent PID: 5225

General

Start time:	08:30:48
Start date:	21/01/2022
Path:	/usr/bin/mkdir
Arguments:	mkdir bin
File size:	88408 bytes
MD5 hash:	088c9d1df5a28ed16c726eca15964cb7

Analysis Process: sh PID: 5229, Parent PID: 5225

General

Start time:	08:30:48
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: mv PID: 5229, Parent PID: 5225

General

Start time:	08:30:48
Start date:	21/01/2022
Path:	/usr/bin/mv
Arguments:	mv /tmp/arm5 bin/systemd
File size:	149888 bytes
MD5 hash:	504f0590fa482d4da070a702260e3716

Analysis Process: sh PID: 5230, Parent PID: 5225

General

Start time:	08:30:48
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: chmod PID: 5230, Parent PID: 5225

General

Start time:	08:30:48
Start date:	21/01/2022
Path:	/usr/bin/chmod
Arguments:	chmod 777 bin/systemd
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Analysis Process: arm5 PID: 5231, Parent PID: 5223

General

Start time:	08:30:48
Start date:	21/01/2022
Path:	/tmp/arm5
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Analysis Process: arm5 PID: 5233, Parent PID: 5231

General

Start time:	08:30:48
Start date:	21/01/2022
Path:	/tmp/arm5
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report arm5

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Runtime Messages

Process Tree

Yara Overview

Initial Sample

Memory Dumps

Jbx Signature Overview

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: arm5 PID: 5223, Parent PID: 5117

General

Analysis Process: arm5 PID: 5225, Parent PID: 5223

General

Analysis Process: sh PID: 5225, Parent PID: 5223

General

Analysis Process: sh PID: 5227, Parent PID: 5225

General

Analysis Process: rm PID: 5227, Parent PID: 5225

General

Analysis Process: sh PID: 5228, Parent PID: 5225

General

Analysis Process: mkdir PID: 5228, Parent PID: 5225

General

Analysis Process: sh PID: 5229, Parent PID: 5225

General

Analysis Process: mv PID: 5229, Parent PID: 5225

General

Analysis Process: sh PID: 5230, Parent PID: 5225

General

Linux Analysis Report
arm5